CISSP Exam Questions
1,535 real CISSP exam questions with expert-verified answers and explanations. Page 8 of 31.
- Question #351Software Development Security
Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?
Software acquisitionSecure developmentVendor assessmentCode quality - Question #352Security and Risk Management
Which of the following steps should be performed FIRST when purchasing Commercial Off-The- Shelf (COTS) software?
COTS acquisitionSecurity policyProcurementRisk management - Question #353Asset Security
An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data b...
Cloud securityShared responsibilityData ownershipSaaS security - Question #354Software Development Security
What is the PRIMARY role of a scrum master in agile development?
Scrum masterAgile developmentSoftware project managementRequirements management - Question #355Identity and Access Management
What capability would typically be included in a commercially available software package designed for access control?
Access control systemsPassword securityCredential protectionAuthentication mechanisms - Question #356Software Development Security
An organization plan on purchasing a custom software product developed by a small vendor to support its business model. Which unique consideration should be made part of the contra...
Software escrowVendor lock-inSupply chain securityContractual agreements - Question #357Software Development Security
When developing solutions for mobile devices, in which phase of the Software Development Life Cycle (SDLC) should technical limitations related to devices be specified?
SDLCMobile device securityRequirements gatheringSystem design - Question #358Security Assessment and Testing
Which of the following is the MOST important security goal when performing application interface testing?
Interface testingSecurity testingInformation leakageError handling - Question #359Security Architecture and Engineering
Which of the following is the MOST common method of memory protection?
Memory protectionOperating system securitySegmentationAccess control - Question #360Security and Risk Management
Attack trees are MOST useful for which of the following?
Attack treesThreat modelingVulnerability analysisRisk assessment - Question #361Security Assessment and Testing
Which of the following techniques is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections?
FuzzingDynamic analysisResource exhaustionVulnerability testing - Question #362Software Development Security
Which one of the following is an advantage of an effective release control strategy form a configuration control standpoint?
Release controlConfiguration managementAuditingTraceability - Question #363Software Development Security
The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity?
Application integrityDigital signaturesSoftware assuranceRelease management - Question #364Communication and Network Security
What is the BEST location in a network to place Virtual Private Network (VPN) devices when an internal review reveals network design flaws in remote access?
VPN placementDMZNetwork architectureRemote access - Question #365Identity and Access Management
Which of the following access management procedures would minimize the possibility of an organization's employees retaining access to secure werk areas after they change roles?
Access managementRole changesLeast privilegeUser access modification - Question #366Security and Risk Management
What Is the FIRST step in establishing an information security program?
Security programInformation security policyGovernanceSecurity management - Question #367Communication and Network Security
Which of the following is MOST effective in detecting information hiding in Transmission Control Protocol/internet Protocol (TCP/IP) traffic?
Application-level firewallInformation hidingNetwork securityDeep packet inspection - Question #368Communication and Network Security
Which of the following is the BEST way to reduce the impact of an externally sourced flood attack?
DDoS mitigationFlood attackService providerNetwork security - Question #369Identity and Access Management
Which of the following is the BEST Identity-as-a-Service (IDaaS) solution for validating users?
IDaaSSAMLAuthentication protocolsIdentity federation - Question #370Security Assessment and Testing
When conducting a security assessment of access controls, which activity is part of the data analysis phase?
Security assessmentAudit processData analysisAccess control audit - Question #371Software Development Security
Which of the following is used to support the of defense in depth during development phase of a software product?
Defense in depthSoftware development securityPolyinstantiationSecurity architecture - Question #372Security and Risk Management
When a system changes significantly, who is PRIMARILY responsible for assessing the security impact?
Roles and responsibilitiesSecurity impact assessmentSystem changesISSO - Question #373Asset Security
When selecting a disk encryption technology, which of the following MUST also be assured to be encrypted?
Disk encryptionHibernation fileData at restData leakage - Question #374Security and Risk Management
Which of the following attacks is dependent upon the compromise of a secondary target in order to reach the primary target?
Watering hole attackAttack vectorsThreatsSocial engineering - Question #375Communication and Network Security
Additional padding may be added to toe Encapsulating Security Protocol (ESP) b trailer to provide which of the following?
IPsec ESPTraffic flow confidentialityPaddingNetwork protocols - Question #376Security and Risk Management
Company A is evaluating new software to replace an in-house developed application. During the acquisition process. Company A specified the security retirement, as well as the funct...
Software acquisitionThird-party riskOS securityDue diligence - Question #377Security Operations
What is maintained by using write blocking devices whan forensic evidence is examined?
Digital forensicsWrite blockersEvidence integrityIncident response - Question #378Identity and Access Management
Which of the following is a characteristic of a challenge/response authentication process?
Challenge/response authenticationPassword hashingAuthentication protocolsNetwork authentication - Question #379Software Development Security
Which of the following is the PRIMARY risk associated with Extensible Markup Language (XML) applications?
XML securityData leakageApplication securityInput validation - Question #380Security and Risk Management
Activity to baseline, tailor, and scope security controls tikes place dring which National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) step?
NIST RMFSecurity controls selectionBaseliningTailoring - Question #381Identity and Access Management
A large corporation is locking for a solution to automate access based on where on request is coming from, who the user is, what device they are connecting with, and what time of d...
Network Access ControlContext-based accessAuthenticationAuthorization - Question #382Software Development Security
Which one of the following is an advantage of an effective release control strategy from a configuration control standpoint?
Release controlConfiguration managementAuditingTraceability - Question #383Asset Security
When adopting software as a service (Saas), which security responsibility will remain with remain with the adopting organization?
SaaS securityShared responsibility modelData classificationCloud security - Question #384Communication and Network Security
Secure real-time transport protocol (SRTP) provides security for which of the following?
SRTPVoIP securityReal-time communicationEncryption protocols - Question #385Identity and Access Management
Which of the following authorization standards is built to handle Application Programming Interface (API) access for Federated Identity Management (FIM)?
OAuthAPI securityFederated Identity ManagementAuthorization standards - Question #386Software Development Security
Which programming methodology allows a programmer to use pre-determined blocks of code end consequently reducing development time and programming costs?
Object-oriented programmingCode reuseSoftware development methodologies - Question #387Security Architecture and Engineering
Why do certificate Authorities (CA) add value to the security of electronic commerce transactions?
Certificate AuthoritiesPKICertificate Revocation ListDigital certificates - Question #388Software Development Security
If a content management system (CSM) is implemented, which one of the following would occur?
Content Management SystemSeparation of dutiesSDLC securityProduction access control - Question #389Security Assessment and Testing
During a Disaster Recovery (DR) assessment, additional coverage for assurance is required. What should en assessor do?
Disaster RecoveryDR assessmentBusiness Continuity PlanningAssurance - Question #390Security and Risk Management
Which of the following is an accurate statement when an assessment results in the discovery of vulnerabilities in a critical network component?
Vulnerability assessmentCritical infrastructureNetwork securityRisk impact - Question #391Communication and Network Security
What technique used for spoofing the origin of an email can successfully conceal the sender s Internet Protocol (IP) address?
Email spoofingIP address concealmentOnion routingAnonymity networks - Question #392Security Operations
What is a warn site when conducting Business continuity planning (BCP)
Warm siteBusiness Continuity PlanningDisaster RecoveryAlternate sites - Question #393Security and Risk Management
Which of the following four iterative steps are conducted on third-party vendors in an on-going basis?
Third-party risk managementVendor assessmentRisk management frameworkContinuous monitoring - Question #394Asset Security
Which of the following media is least problematic with data remanence?
Data remanenceSecure data disposalDRAMStorage media - Question #395Communication and Network Security
During a recent assessment an organization has discovered that the wireless signal can be detected outside the campus area. What logical control should be implemented in order to B...
Wireless securityWPA2 encryptionConfidentialitySignal leakage - Question #396Security Operations
Who is essential for developing effective test scenarios for disaster recovery (DR) test plans?
Disaster Recovery testingBCP stakeholdersTest scenariosOrganizational roles - Question #397Security Architecture and Engineering
Which is the second phase of public key Infrastructure (pk1) key/certificate life-cycle management?
PKICertificate lifecycleKey managementDigital certificates - Question #398Security and Risk Management
Which of the following is MOST important when determining appropriate countermeasures for an identified risk?
Risk managementCountermeasuresRisk toleranceSecurity controls - Question #399Security Operations
When a flaw in Industrial control (ICS) software is discovered, what is the GREATEST impediment to deploying a patch?
Industrial Control SystemsPatch managementCritical infrastructure securityOperational technology (OT) - Question #400Security Operations
Which of the following is the BEST approach for a forensic examiner to obtain the greatest amount of relevant information form malicious software?
Forensic analysisMalware analysisBehavioral analysisIncident response