Browse Exams Pricing

ExamsCISSPQuestions

CISSP Exam Questions

1,535 real CISSP exam questions with expert-verified answers and explanations. Page 6 of 31.

Question #251Security Assessment and Testing
When designing a vulnerability test, which one of the following is likely to give the BEST indication of what components currently operate on the network?
vulnerability testingnetwork mappingreconnaissance
Question #252Asset Security
Which of the following approaches is the MOST effective way to dispose of data on multiple hard drives?
data sanitizationhard drive disposaldata remanencesecure erase
Question #253Security and Risk Management
Which of the following is the BEST method to reduce the effectiveness of phishing attacks?
phishingsecurity awarenesssocial engineeringuser training
Question #254Security and Risk Management
The PRIMARY purpose of accreditation is to:
accreditationrisk acceptancesenior management responsibility
Question #255Communication and Network Security
Which of the following is a weakness of Wired Equivalent Privacy (WEP)?
WEPwireless securityinitialization vector (IV)cryptographic weaknesses
Question #256Security Assessment and Testing
When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?
security assessmenttest reportingconfidentialityintegrity
Question #257Security Operations
Which of the following is the MAIN reason for using configuration management?
configuration managementsecurity controlsconsistencybaselines
Question #258Identity and Access Management
Which of the following is BEST suited for exchanging authentication and authorization messages in a multi-party decentralized environment?
SAMLfederated identitySSOauthentication protocols
Question #259Security Architecture and Engineering
Which of the following is MOST important when deploying digital certificates?
digital certificatescertificate lifecycle managementPKIcertificate authority
Question #260Identity and Access Management
A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the MO...
Discretionary Access Control (DAC)data owneraccess requestaccess control models
Question #261Security and Risk Management
How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?
Vulnerability managementRisk prioritizationRemediation planning
Question #262Security Operations
Which of the following is the MOST important consideration when developing a Disaster Recovery Plan (DRP)?
Disaster Recovery PlanBusiness continuityRecovery strategy
Question #263Communication and Network Security
A proxy firewall operates at what layer of the Open System Interconnection (OSI) model?
Proxy firewallOSI modelApplication layer
Question #264Identity and Access Management
Which of the following restricts the ability of an individual to carry out all the steps of a particular process?
Separation of dutiesInternal controlsAccess control principles
Question #265Software Development Security
Although code using a specific program language may not be susceptible to a buffer overflow attack,
Buffer overflowSoftware vulnerabilitiesVirtual machine security
Question #266Communication and Network Security
What is the BEST way to encrypt web application communications?
Web encryptionTLSSecure communication
Question #267Communication and Network Security
Which of the following are effective countermeasures against passive network-layer attacks?
Network securityPassive attacksEncryptionNetwork layer security
Question #268Security Operations
What is the MOST important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)?
BCP trainingDRP trainingManagement supportProgram effectiveness
Question #269Security and Risk Management
A database administrator is asked by a high-ranking member of management to perform specific changes to the accounting system database. The administrator is specifically instructed...
EthicsCorporate governanceWhistleblower policyChange management
Question #270Asset Security
Which of the following is the MOST important goal of information asset valuation?
Asset valuationInformation asset managementRisk assessment
Question #271Security Assessment and Testing
Which of the following is a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E)?
Security testingST&ESecurity control categories
Question #272Communication and Network Security
Which one of the following activities would present a significant security risk to organizations when employing a Virtual Private Network (VPN) solution?
VPN securitySplit tunnelingNetwork security risksRemote access
Question #273Security Architecture and Engineering
Which of the following BEST describes a chosen plaintext attack?
Chosen plaintext attackCryptography attacksCryptanalysis
Question #274Security Operations
For network-based evidence, which of the following contains traffic details of all network sessions in order to detect anomalies?
Network forensicsAnomaly detectionNetwork traffic analysisSecurity monitoring
Question #275Security Assessment and Testing
Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an organization network?
Vulnerability scanningVulnerability managementRemediationSecurity assessment
Question #276Asset Security
Which of the following would BEST describe the role directly responsible for data within an organization?
Data rolesInformation ownerData governanceData responsibility
Question #277Security Operations
The restoration priorities of a Disaster Recovery Plan (DRP) are based on which of the following documents?
Disaster Recovery PlanBusiness Impact AnalysisRecovery prioritiesBusiness continuity
Question #278Security Architecture and Engineering
A security architect plans to reference a Mandatory Access Control (MAC) model for implementation. This indicates that which of the following properties are being prioritized?
Mandatory Access ControlConfidentialityAccess control models
Question #279Security Architecture and Engineering
A vulnerability in which of the following components would be MOST difficult to detect?
Hardware vulnerabilitiesSystem securityVulnerability detectionLow-level exploits
Question #280Identity and Access Management
During which of the following processes is least privilege implemented for a user account?
Least privilegeUser provisioningAccess management lifecycleIAM principles
Question #281Security Operations
Which of the following is a document that identifies each item seized in an investigation, including date and time seized, full name and signature or initials of the person who sei...
chain of custodyevidence handlingdigital forensics
Question #282Security Architecture and Engineering
Which of the following is needed to securely distribute symmetric cryptographic keys?
symmetric encryptionkey managementcryptographic key distribution
Question #283Security Operations
Reciprocal backup site agreements are considered to be
disaster recoverybusiness continuitybackup sitesreciprocal agreements
Question #284Identity and Access Management
In which identity management process is the subject's identity established?
identity managementenrollmentidentity lifecycle
Question #285Security and Risk Management
In order to assure authenticity, which of the following are required?
authenticityauthenticationnon-repudiationsecurity principles
Question #286Communication and Network Security
At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a datagram handled?
OSI modelnetwork layerdatagramsIP addressing
Question #287Security Assessment and Testing
An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective?
penetration testingattack surfacethird-party riskvendor security
Question #288Security and Risk Management
A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade w...
NIST Cybersecurity Frameworkrisk managementasset managementgovernance
Question #289Asset Security
What is the difference between media marking and media labeling?
media securitydata classificationmedia markingmedia labeling
Question #290Software Development Security
What balance MUST be considered when web application developers determine how informative application error messages should be constructed?
secure software developmenterror handlinginformation disclosurerisk assessment
Question #291Security Operations
What operations role is responsible for protecting the enterprise from corrupt or contaminated media?
data protectionmedia managementsecurity rolesinformation librarian
Question #292Security Architecture and Engineering
Which of the following is a characteristic of the initialization vector when using Data Encryption Standard (DES)?
cryptographyinitialization vectorblock ciphersDES
Question #293Communication and Network Security
In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ?
DMZnetwork segmentationnetwork architecturefirewalls
Question #294Security Operations
Network-based logging has which advantage over host-based logging when reviewing malicious activity about a victim machine?
loggingnetwork security monitoringincident responseevidence integrity
Question #295Asset Security
Which of the following is the PRIMARY reason for employing physical security personnel at entry points in facilities where card access is in operation?
physical securityaccess controlsecurity personnelsafety
Question #296Communication and Network Security
Between which pair of Open System Interconnection (OSI) Reference Model layers are routers used as a communications device?
OSI modelroutersnetwork layercommunication devices
Question #297Security Assessment and Testing
Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test?
penetration testingblind testingethical hackingsecurity assessment
Question #298Security and Risk Management
Which of the following countermeasures is the MOST effective in defending against a social engineering attack?
social engineeringsecurity awarenesshuman factorsbehavioral security
Question #299Identity and Access Management
Which of the following information MUST be provided for user account provisioning?
account provisioningidentity managementunique identifieruser accounts
Question #300Communication and Network Security
Which of the following adds end-to-end security inside a Layer 2 Tunneling Protocol (L2TP) Internet Protocol Security (IPSec) connection?
L2TP/IPSecTLSVPNend-to-end encryptionprotocol security

PreviousPage 6 of 31Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.