CISSP Exam Questions
1,535 real CISSP exam questions with expert-verified answers and explanations. Page 3 of 31.
- Question #101Security Architecture and Engineering
According to best practice, which of the following is required when implementing third party software in a production environment?
third-party softwarevulnerability scanningsecure procurementsoftware integration - Question #102Communication and Network Security
Which of the following is the BEST solution to provide redundancy for telecommunications links?
network redundancytelecommunicationsbusiness continuitydisaster recovery - Question #103Security Assessment and Testing
The amount of data that will be collected during an audit is PRIMARILY determined by the.
audit planningaudit scopesecurity audit - Question #104Software Development Security
Which of the following are required components for implementing software configuration management systems?
software configuration managementchange managementaudit controlSDLC - Question #105Security Architecture and Engineering
For a service provider, which of the following MOST effectively addresses confidentiality concerns for customers using cloud computing?
cloud securitydata confidentialitydata segregationmulti-tenancy - Question #106Identity and Access Management (IAM)
Which of the following BEST mitigates a replay attack against a system using identity federation and Security Assertion Markup Language (SAML) implementation?
replay attackSAMLidentity federationtimed sessions - Question #107Software Development Security
What is the BEST method to detect the most common improper initialization problems in programming languages?
static analysissecure codingvulnerability detectionsoftware testing - Question #108Security and Risk Management
During the procurement of a new information system, it was determined that some of the security requirements were not addressed in the system specification. Which of the following...
security requirementssystem procurementrequirements definitionrisk management - Question #109Asset Security
Which of the following is required to determine classification and ownership?
data classificationdata ownershipasset identificationinformation governance - Question #110Communication and Network Security
A large university needs to enable student access to university resources from their homes. Which of the following provides the BEST option for low maintenance and ease of deployme...
remote accessVPNSSL VPNnetwork architecture - Question #111Security and Risk Management
A risk assessment report recommends upgrading all perimeter firewalls to mitigate a particular finding. Which of the following BEST supports this recommendation?
risk assessmentrisk mitigationcost-benefit analysisALE - Question #112Identity and Access Management (IAM)
A system is developed so that its business users can perform business functions but not user administration functions. Application administrators can perform administration functio...
separation of dutiesleast privilegeaccess controlsecurity principles - Question #113Security Operations
What is the MOST effective method for gaining unauthorized access to a file protected with a long complex password?
social engineeringpassword attacksattack vectorshuman factors - Question #114Security and Risk Management
A security manager has noticed an inconsistent application of server security controls resulting in vulnerabilities on critical systems. What is the MOST likely cause of this issue...
security baselinesconfiguration managementsecurity controlspolicy enforcement - Question #115Identity and Access Management (IAM)
Which of the following is the BEST countermeasure to brute force login attacks?
brute force attackauthenticationaccount lockoutsecurity countermeasures - Question #116Security and Risk Management
A Business Continuity Plan (BCP) is based on
Business Continuity PlanBCPbusiness impact analysisdisaster recovery - Question #117Communication and Network Security
When implementing a secure wireless network, which of the following supports authentication and authorization for individual client endpoints.
wireless securityWPA2 Enterprise802.1Xnetwork authentication - Question #118Security Operations
A thorough review of an organization's audit logs finds that a disgruntled network administrator has intercepted emails meant for the Chief Executive Officer (CEO) and changed them...
man-in-the-middleMITMemail securitynetwork attacks - Question #119Security Architecture and Engineering
Which of the following is the MOST effective attack against cryptographic hardware modules?
cryptographic attacksside-channel attackshardware security - Question #120Asset Security
Which of the following is the MOST difficult to enforce when using cloud computing?
cloud securitydata lifecycledata disposalshared responsibility - Question #121Security Assessment and Testing
Which of the following is the BEST way to determine if a particular system is able to identify malicious software without executing it?
malware detectionantivirus testingEICAR - Question #122Asset Security
Which of the following is a BEST practice when traveling internationally with laptops containing Personally Identifiable Information (PII)?
data protectionPIItravel securitydata minimization - Question #123Identity and Access Management
Which of the following assures that rules are followed in an identity management architecture?
identity managementpolicy enforcementaccess control - Question #124Identity and Access Management
Which of the following violates identity and access management best practices?
account managementbest practicesgeneric accountsaccountability - Question #125Security and Risk Management
When dealing with compliance with the Payment Card Industry-Data Security Standard (PCI- DSS), an organization that shares card holder information with a service provider MUST do w...
PCI-DSScompliancethird-party riskservice provider management - Question #126Communication and Network Security
What is the MAIN feature that onion routing networks offer?
onion routinganonymitynetwork privacy - Question #127Security and Risk Management
Which of the following MUST system and database administrators be aware of and apply when configuring systems used for storing personal employee data?
security policiesdata handlingpersonal dataadministrative awareness - Question #128Identity and Access Management
Which of the following methods provides the MOST protection for user credentials?
authentication methodsuser credentialsdigest authentication - Question #129Security and Risk Management
Which of the following MOST influences the design of the organization's electronic monitoring policies?
privacy lawselectronic monitoringsecurity policieslegal compliance - Question #130Security Architecture and Engineering
Without proper signal protection, embedded systems may be prone to which type of attack?
embedded systemsside-channel attacksinformation disclosurephysical security - Question #131Security Operations
Which of the following is a detective access control mechanism?
access controldetective controlslog review - Question #132Security Operations
Which of the following BEST describes Recovery Time Objective (RTO)?
RTOdisaster recoverybusiness continuity - Question #133Asset Security
An organization publishes and periodically updates its employee policies in a file on their intranet. Which of the following is a PRIMARY security concern?
data integritypolicy managementintranet security - Question #134Security and Risk Management
An online retail company has formulated a record retention schedule for customer transactions. Which of the following is a valid reason a customer transaction is kept beyond the re...
data retentionlegal holdcompliancedata lifecycle - Question #135Asset Security
Which of the following is the MAIN goal of a data retention policy?
data retention policydata integritydata confidentialitycompliance - Question #136Identity and Access Management
Which of the following problems is not addressed by using OAuth (Open Standard to Authorization) 2.0 to integrate a third-party identity provider for a service?
OAuth 2.0authorizationthird-party identityAPI security - Question #137Security Architecture and Engineering
The use of proximity card to gain access to a building is an example of what type of security control?
physical securityaccess controlproximity card - Question #138Identity and Access Management
Multi-Factor Authentication (MFA) is necessary in many systems given common types of password attacks. Which of the following is a correct list of password attacks?
password attacksbrute forcedictionary attackphishingkeylogger - Question #139Identity and Access Management
Which of the following is an example of two-factor authentication?
two-factor authenticationauthentication factors - Question #140Identity and Access Management
Which item below is a federated identity standard?
federated identitySAMLidentity standards - Question #141Identity and Access Management
What is a common challenge when implementing Security Assertion Markup Language (SAML) for identity integration between on-premise environment and an external identity provider ser...
SAMLidentity integrationuser provisioningfederated identity - Question #142Identity and Access Management
Refer to the information below to answer the question. A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at...
least privilegeaccess controluser privilegesendpoint security - Question #143Communication and Network Security
Refer to the information below to answer the question. A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at...
P2P detectionIPSnetwork securitytraffic monitoring - Question #144Security Operations
Refer to the information below to answer the question. A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at...
incident responsemalware removalsystem re-imagingendpoint remediation - Question #145Security and Risk Management
Refer to the information below to answer the question. A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at...
acceptable use policysecurity policiesasset use - Question #146Security Architecture and Engineering
Refer to the information below to answer the question. A security practitioner detects client-based attacks on the organization's network. A plan will be necessary to address these...
client hardeningendpoint securityvulnerability managementsecurity architecture - Question #147Asset Security
Refer to the information below to answer the question. A security practitioner detects client-based attacks on the organization's network. A plan will be necessary to address these...
mobile codeclient-side attacksexploit vectorsapplication security - Question #148Security and Risk Management
Refer to the information below to answer the question. A security practitioner detects client-based attacks on the organization's network. A plan will be necessary to address these...
security awarenessemployee trainingclient-side exploitationuser behavior - Question #149Security and Risk Management
Refer to the information below to answer the question. A security practitioner detects client-based attacks on the organization's network. A plan will be necessary to address these...
client-side attacksattack vectorsrisk assessmentthreat landscape - Question #150Identity and Access Management
Refer to the information below to answer the question. A large organization uses unique identifiers and requires them at the start of every system session. Application access is ba...
RBACaccess control modelsjob classificationpermissions