CISSP Practice Questions 221-240

Q: Which one of the following security mechanisms provides the BEST way to restrict the execution of privileged procedures? A. Role Based Access Control (RBAC) B. Biometric access control C. Federated Identity Management (IdM) D. Application hardening

Correct answer: A. RBAC restricts access and privileged actions based on defined user roles rather than individual identities.

Q: An organization is selecting a service provider to assist in the consolidation of multiple computing sites including development, implementation and ongoing support of various computer systems. Which of the following MUST be verified by the Information Security Department? A. The service provider's policies are consistent with ISO/IEC27001 and there is evidence that the service provider is following those policies. B. The service provider will segregate the data within its systems and ensure that each region's policies are met. C. The service provider will impose controls and protections that meet or exceed the current systemscontrols and produce audit logs as verification. D. The service provider's policies can meet the requirements imposed by the new environment even if they differ from the organization's current policies.

Correct answer: D. The provider’s policies must align with the new environment’s requirements, even if different from existing ones.

Q: Which of the following assessment metrics is BEST used to understand a system's vulnerability to potential exploits? A. Determining the probability that the system functions safely during any time period B. Quantifying the system's available services C. Identifying the number of security flaws within the system D. Measuring the system's integrity in the presence of failure

Correct answer: C. The number of known flaws indicates vulnerability level and helps prioritize remediation.

Q: An auditor carrying out a compliance audit requests passwords that are encrypted in the system to verify that the passwords are compliant with policy. Which of the following is the BEST response to the auditor? A. Provide the encrypted passwords and analysis tools to the auditor for analysis. B. Analyze the encrypted passwords for the auditor and show them the results. C. Demonstrate that non-compliant passwords cannot be created in the system. D. Demonstrate that non-compliant passwords cannot be encrypted in the system.

Correct answer: C. Auditors should be shown that controls prevent weak passwords; encrypted passwords should not be shared.

Q: Which of the following is TRUE about Disaster Recovery Plan (DRP) testing? A. Operational networks are usually shut down during testing. B. Testing should continue even if components of the test fail. C. The company is fully prepared for a disaster if all tests pass. D. Testing should not be done until the entire disaster plan can be tested.

Correct answer: B. Continuing tests despite failures helps identify weaknesses and improve plan effectiveness.

Q: Which one of the following describes granularity? A. Maximum number of entries available in an Access Control List (ACL) B. Fineness to which a trusted system can authenticate users C. Number of violations divided by the number of total accesses D. Fineness to which an access control system can be adjusted

Correct answer: D. Granularity refers to how finely access rights or controls can be tuned in a system.

Q: Which of the following is the MOST important consideration when storing and processing Personally Identifiable Information (PII)? A. Encrypt and hash all PII to avoid disclosure and tampering. B. Store PII for no more than one year. C. Avoid storing PII in a Cloud Service Provider. D. Adherence to collection limitation laws and regulations.

Correct answer: D. Compliance with data protection laws is the foremost priority when handling PII.

Q: What would be the PRIMARY concern when designing and coordinating a security assessment for an Automatic Teller Machine (ATM) system? A. Physical access to the electronic hardware B. Regularly scheduled maintenance process C. Availability of the network connection D. Processing delays

Correct answer: A. ATMs are physical devices with cash and sensitive components, so physical security is the primary concern.

Q: Which one of the following effectively obscures network addresses from external exposure when implemented on a firewall or router? A. Network Address Translation (NAT) B. Application Proxy C. Routing Information Protocol (RIP) Version 2 D. Address Masking

Correct answer: A. NAT hides internal IP addresses by translating them to external ones, masking internal network structure.

Q: The Hardware Abstraction Layer (HAL) is implemented in the A. system software. B. system hardware. C. application software. D. network hardware.

Correct answer: A. HAL is a software layer that isolates hardware details from the operating system.

Question 221

Question 221

Which one of the following security mechanisms provides the BEST way to restrict the execution of privileged procedures?
A. Role Based Access Control (RBAC)
B. Biometric access control
C. Federated Identity Management (IdM)
D. Application hardening

Question 222

Question 222

An organization is selecting a service provider to assist in the consolidation of multiple computing sites including development, implementation and ongoing support of various computer systems. Which of the following MUST be verified by the Information Security Department?
A. The service provider's policies are consistent with ISO/IEC27001 and there is evidence that the service provider is following those policies.
B. The service provider will segregate the data within its systems and ensure that each region's policies are met.
C. The service provider will impose controls and protections that meet or exceed the current systemscontrols and produce audit logs as verification.
D. The service provider's policies can meet the requirements imposed by the new environment even if they differ from the organization's current policies.

Question 223

Question 223

Which of the following assessment metrics is BEST used to understand a system's vulnerability to potential exploits?
A. Determining the probability that the system functions safely during any time period
B. Quantifying the system's available services
C. Identifying the number of security flaws within the system
D. Measuring the system's integrity in the presence of failure

Question 224

Question 224

An auditor carrying out a compliance audit requests passwords that are encrypted in the system to verify that the passwords are compliant with policy. Which of the following is the BEST response to the auditor?
A. Provide the encrypted passwords and analysis tools to the auditor for analysis.
B. Analyze the encrypted passwords for the auditor and show them the results.
C. Demonstrate that non-compliant passwords cannot be created in the system.
D. Demonstrate that non-compliant passwords cannot be encrypted in the system.

Question 225

Question 225

Which of the following is TRUE about Disaster Recovery Plan (DRP) testing?
A. Operational networks are usually shut down during testing.
B. Testing should continue even if components of the test fail.
C. The company is fully prepared for a disaster if all tests pass.
D. Testing should not be done until the entire disaster plan can be tested.

Question 226

Question 226

Which one of the following describes granularity?
A. Maximum number of entries available in an Access Control List (ACL)
B. Fineness to which a trusted system can authenticate users
C. Number of violations divided by the number of total accesses
D. Fineness to which an access control system can be adjusted

Question 227

Question 227

Which of the following is the MOST important consideration when storing and processing Personally Identifiable Information (PII)?
A. Encrypt and hash all PII to avoid disclosure and tampering.
B. Store PII for no more than one year.
C. Avoid storing PII in a Cloud Service Provider.
D. Adherence to collection limitation laws and regulations.

Question 228

Question 228

What would be the PRIMARY concern when designing and coordinating a security assessment for an Automatic Teller Machine (ATM) system?
A. Physical access to the electronic hardware
B. Regularly scheduled maintenance process
C. Availability of the network connection
D. Processing delays

Question 229

Question 229

Which one of the following effectively obscures network addresses from external exposure when implemented on a firewall or router?
A. Network Address Translation (NAT)
B. Application Proxy
C. Routing Information Protocol (RIP) Version 2
D. Address Masking

Question 230

Question 230

The Hardware Abstraction Layer (HAL) is implemented in the
A. system software.
B. system hardware.
C. application software.
D. network hardware.

Question 231

Question 231

A disadvantage of an application filtering firewall is that it can lead to
A. a crash of the network as a result of user activities.
B. performance degradation due to the rules applied.
C. loss of packets on the network due to insufficient bandwidth.
D. Internet Protocol (IP) spoofing by hackers.

Question 232

Question 232

Which of the following is the FIRST step of a penetration test plan?
A. Analyzing a network diagram of the target network
B. Notifying the company's customers
C. Obtaining the approval of the company's management
D. Scheduling the penetration test during a period of least impact

Question 233

Question 233

Which one of the following is a fundamental objective in handling an incident?
A. To restore control of the affected systems
B. To confiscate the suspect's computers
C. To prosecute the attacker
D. To perform full backups of the system

Question 234

Question 234

When transmitting information over public networks, the decision to encrypt it should be based on
A. the estimated monetary value of the information.
B. whether there are transient nodes relaying the transmission.
C. the level of confidentiality of the information.
D. the volume of the information.

Question 235

Question 235

Which of the following would be the FIRST step to take when implementing a patch management program?
A. Perform automatic deployment of patches.
B. Monitor for vulnerabilities and threats.
C. Prioritize vulnerability remediation.
D. Create a system inventory.

Question 236

Question 236

While impersonating an Information Security Officer (ISO), an attacker obtains information from company employees about their User IDs and passwords. Which method of information gathering has the attacker used?
A. Trusted path
B. Malicious logic
C. Social engineering
D. Passive misuse

Question 237

Question 237

Which of the following defines the key exchange for Internet Protocol Security (IPSec)?
A. Secure Sockets Layer (SSL) key exchange
B. Internet Key Exchange (IKE)
C. Security Key Exchange (SKE)
D. Internet Control Message Protocol (ICMP)

Question 238

Question 238

Why MUST a Kerberos server be well protected from unauthorized access?
A. It contains the keys of all clients.
B. It always operates at root privilege.
C. It contains all the tickets for services.
D. It contains the Internet Protocol (IP) address of all network entities.

Question 239

Question 239

When designing a networked Information System (IS) where there will be several different types of individual access, what is the FIRST step that should be taken to ensure all access control requirements are addressed?
A. Create a user profile.
B. Create a user access matrix.
C. Develop an Access Control List (ACL).
D. Develop a Role Based Access Control (RBAC) list.

Question 240

Question 240

Which of the following is an effective method for avoiding magnetic media data remanence?
A. Degaussing
B. Encryption
C. Data Loss Prevention (DLP)
D. Authentication