CISSP Exam Questions
1,535 real CISSP exam questions with expert-verified answers and explanations. Page 31 of 31.
- Question #1501Security Operations
Which of the following is the MOST comprehensive Business Continuity (BC) test?
business continuitydisaster recovery testingBCP testing - Question #1502Security Operations
The disaster recovery (DR) process should always include
disaster recovery planDRP maintenanceplan lifecycle - Question #1503Security Operations
Which of the following BEST describes the purpose of software forensics?
software forensicsmalware analysisdigital forensics - Question #1504Security Architecture and Engineering
The security architect has been assigned the responsibility of ensuring integrity of the organization's electronic records. Which of the following methods provides the strongest le...
data integritydigital signaturehashingnon-repudiation - Question #1505Security Assessment and Testing
An application is used for funds transfer between an organization and a third-party. During a security audit, an issue with the business continuity/disaster recovery policy and pro...
SOC reportsthird-party riskaudit reportsBC/DR - Question #1506Software Development Security
An organization purchased a commercial off-the-shelf (COTS) software several years ago. The information technology (IT) Director has decided to migrate the application into the clo...
COTS securityapplication securitypatch managementvulnerability management - Question #1507Security Assessment and Testing
Which reporting type requires a service organization to describe its system and define its control objectives and controls that are relevant to users internal control over financia...
SOC reportsfinancial reportingauditing standards - Question #1508Security Operations
The Chief Information Security Officer (CISO) is concerned about business application availability. The organization was recently subject to a ransomware attack that resulted in th...
recovery time objectiveransomware recoveryvirtualizationbusiness continuity - Question #1509Software Development Security
Which of the following is the GREATEST risk of relying only on Capability Maturity Models (CMM) for software to guide process improvement and assess capabilities of acquired softwa...
CMMsoftware maturity modelssoftware securityrisk management - Question #1510Security Assessment and Testing
Which of the following should exist in order to perform a security audit?
security auditaudit frameworkcompliance - Question #1511Security Architecture and Engineering
Which of the following encryption technologies has the ability to function as a stream cipher?
block cipher modesstream cipherCFBencryption - Question #1512Software Development Security
An attack utilizing social engineering and a malicious Uniform Resource Locator (URL) link to take advantage of a victim's existing browser session with a web application is an exa...
web application securityCSRFsocial engineeringbrowser attacks - Question #1513Software Development Security
Which of the following is the BEST method to identify security controls that should be implemented for a web-based application while in development?
threat modelingapplication securitySDLCsecurity controls - Question #1514Asset Security
A security professional has reviewed a recent site assessment and has noted that a server room on the second floor of a building has Heating, Ventilation, and Air Conditioning (HVA...
physical securityHVAC securityfire suppressionrisk mitigation - Question #1515Security Architecture and Engineering / Identity and Access Management (IAM) - commonly tested in CISSP Domain 4 (Communication and Network Security) and Domain 5 (Identity and Access Management)
Drag and Drop Question Given the various means to protect physical and logical assets, match the access management area to the technology. Answer:
Access ControlDefense in DepthPhysical SecurityLogical Security - Question #1516Asset Security - Understanding and applying data classification policies and procedures (CISSP Domain 2 / CompTIA Security+ Data Protection)
Drag and Drop Question Place the following information classification steps in sequential order. Answer:
Information ClassificationData GovernanceSecurity MarkingsAsset Management - Question #1517Security and Risk Management
Drag and Drop Question In which order, from MOST to LEAST impacted, does user awareness training reduce the occurrence of the events below? Answer:
Security Awareness TrainingHuman FactorThreat MitigationUser Behavior - Question #1518Security Engineering / Risk Management Framework - understanding foundational security engineering terminology including risk characterization, protection needs determination, threat assessment, and risk treatment strategies as defined in standards such as NIST SP 800-160 and ISO/IEC 27005.
Drag and Drop Question Drag the following Security Engineering terms on the left to the BEST definition on the right. Answer:
Security EngineeringRisk ManagementThreat AssessmentProtection Needs Analysis - Question #1519Security Operations / Asset Security - Understanding data sanitization, media handling, and methods to mitigate data remanence risks on magnetic storage media (CISSP Domain 2: Asset Security or CompTIA Security+ Domain: Implementation)
Drag and Drop Question Place in order, from BEST (1) to WORST (4), the following methods to reduce the risk of data remanence on magnetic media. Answer:
Data RemanenceMedia SanitizationData DestructionInformation Security Controls - Question #1520Security and Risk Management - specifically the development, implementation, and management of BC/DR plans as tested in certifications such as CISSP (Domain 1), CompTIA Security+, and CISM.
Drag and Drop Question Below are the common phases to creating a Business Continuity/Disaster Recovery (BC/DR) plan. Drag the remaining BC\DR phases to the appropriate correspondin...
Business Continuity PlanningDisaster RecoveryRisk ManagementSecurity Governance - Question #1521Understand the structure and practice areas within the OWASP Software Assurance Maturity Model (SAMM) Governance domain, including the ability to match security practices to their corresponding assessment objectives.
Drag and Drop Question Match the objectives to the assessment questions in the governance domain of Software Assurance Maturity Model (SAMM). Answer:
SAMMSoftware Assurance Maturity ModelGovernance DomainSecurity Practices - Question #1522Software Development Security
Drag and Drop Question A software security engineer is developing a black box-based test plan that will measure the system's reaction to incorrect or illegal inputs or unexpected o...
Software TestingBlack Box TestingFunctional TestingApplication Security - Question #1523CompTIA Security+ / CySA+ - Vulnerability Management and Patch Management Processes (Operations and Incident Response / Security Operations domain)
Drag and Drop Question Order the below steps to create an effective vulnerability management process. Answer:
Vulnerability ManagementPatch ManagementRisk ManagementSecurity Operations - Question #1524CompTIA Security+ / CISSP - Identity and Access Management (IAM): Understanding and differentiating between access control models and their associated restriction mechanisms.
Drag and Drop Question Match the name of access control model with its associated restriction. Drag each access control model to its appropriate restriction access on the right. An...
Access Control ModelsIdentity and Access ManagementSecurity PoliciesAuthorization - Question #1526Security Engineering and Risk Management - Understanding core security engineering terminology and the relationships between risk identification, assessment, protection planning, and risk treatment within a structured security framework (aligned with CISSP, CSSLP, or similar certifications).
Drag and Drop Question Drag the following Security Engineering terms on the left to the BEST definition on the right. Answer:
Security EngineeringRisk ManagementThreat AssessmentProtection Needs - Question #1527Risk Management and Information Security Assessment Methodology
Drag and Drop Question What is the correct order of steps in an information security assessment? Place the information security assessment steps on the left next to the numbered bo...
Information Security AssessmentRisk ManagementVulnerability AssessmentSecurity Governance - Question #1528Audit Process and Governance - Understanding the roles and responsibilities of key stakeholders in planning and executing an external audit, typically aligned with CISA, ISO 27001, or similar compliance frameworks.
Drag and Drop Question Match the functional roles in an external audit to their responsibilities. Drag each role on the left to its corresponding responsibility on the right. Answe...
External AuditGovernance RolesAudit ManagementCompliance - Question #1529Security and Risk Management - Understand and apply security concepts including security evaluation models and international standards (CISSP Domain 1 / Security Architecture and Engineering Domain 3)
Drag and Drop Question Match the level of evaluation to the correct common criteria (CC) assurance level. Drag each level of evaluation on the left to is corresponding CC assurance...
Common CriteriaEvaluation Assurance Levels (EAL)Security StandardsProduct Certification - Question #1530CompTIA Security+ / Network+ - Infrastructure and Network Architecture: Understanding storage redundancy technologies and their data distribution models to ensure availability and integrity.
Drag and Drop Question Given a file containing ordered number, i.e. "123456789," match each of the following redundant Array of independent Disks (RAID) levels to the corresponding...
RAID LevelsStorage RedundancyFault ToleranceData Protection - Question #1531Network Security / Web Application Security - Understanding authentication mechanisms and their relative security strengths, commonly tested in certifications such as CompTIA Security+, CEH, or CISSP under access control and identity management domains.
Drag and Drop Question Rank the Hypertext Transfer protocol (HTTP) authentication types shows below in order of relative strength. Drag the authentication type on the correct posit...
HTTP AuthenticationWeb SecurityAuthentication ProtocolsCryptography - Question #1532Asset Security
Hotspot Question Identify the component that MOST likely lacks digital accountability related to information access. Click on the correct device in the image below. Answer:
AccountabilityBackup mediaData accessInformation lifecycle - Question #1533Identity and Access Management (IAM)
Hotspot Question Which Web Services Security (WS-Security) specification negotiates how security tokens will be issued, renewed and validated? Click on the correct specification in...
WS-SecuritySecurity tokensWS-TrustWeb services - Question #1534Communication and Network Security
Hotspot Question In the network design below, where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to...
Network designWireless securityNetwork segmentationWAP deployment - Question #1535Identity and Access Management (IAM)
Hotspot Question Which Web Services Security (WS-Security) specification maintains a single authenticated identity across multiple dissimilar environments? Click on the correct spe...
WS-SecurityFederated identitySingle Sign-On (SSO)WS-Federation - Question #1536Identity and Access Management (IAM)
Hotspot Question Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access? Click on the cor...
WS-SecuritySecurity tokensAccess policiesWS-Trust