A company is attempting to enhance the security of its user authentication processes. After evaluating several options, the company has decided to utilize Identity as a Service (IDaaS). Which of the following factors leads the company to choose an IDaaS as their solution? A. In-house team lacks resources to support an on-premise solution. B. Third-party solutions are inherently more secure. C. Third-party solutions are known for transferring the risk to the vendor. D. In-house development provides more control.
Answer: A
Rationale: When internal teams lack expertise or resources for managing authentication infrastructure, outsourcing via IDaaS offers scalability, cost savings, and maintained security.
Question 422
Question 422
An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred? A. SQL injection (SQLi) B. Extensible Markup Language (XML) external entities C. Cross-Site Scripting (XSS) D. Cross-Site Request Forgery (CSRF)
Answer: C
Rationale: Cross-Site Scripting (XSS) injects malicious scripts into trusted websites, enabling attackers to steal session cookies or credentials from users’ browsers.
Question 423
Question 423
An attack utilizing social engineering and a malicious Uniform Resource Locator (URL) link to take advantage of a victim’s existing browser session with a web application is an example of which of the following types of attack? A. Clickjacking B. Cross-site request forgery (CSRF) C. Cross-Site Scripting (XSS) D. Injection
Answer: C
Rationale: This describes an XSS attack, where a malicious link exploits the victim’s browser session to run unauthorized code, often leveraging session hijacking or cookie theft.
Question 424
Question 424
Which of the following encryption technologies has the ability to function as a stream cipher? A. Cipher Block Chaining (CBC) with error propagation B. Electronic Code Book (ECB) C. Cipher Feedback (CFB) D. Feistel cipher
Answer: B
Rationale: DNS design inherently lacks authentication, allowing cache poisoning and spoofing; DNSSEC addresses this flaw.
Question 425
Question 425
In a disaster recovery (DR) test, which of the following would be a trait of crisis management? A. Process B. Anticipate C. Strategic D. Wide focus
Answer: D
Rationale: Crisis management has a broad, organization-wide focus, coordinating communications, leadership decisions, and resources across multiple functional areas during major disruptions.
Question 426
Question 426
Which of the following BEST describes the purpose of the reference monitor when defining access control to enforce the security model? A. Strong operational security to keep unit members safe B. Policies to validate organization rules C. Cyber hygiene to ensure organizations can keep systems healthy D. Quality design principles to ensure quality by design
Answer: B
Rationale: The reference monitor enforces system access policies by validating all subject-to-object access requests, ensuring adherence to security rules.
Question 427
Question 427
Which of the following is security control volatility? A. A reference to the impact of the security control. B. A reference to the likelihood of change in the security control. C. A reference to how unpredictable the security control is. D. A reference to the stability of the security control.
Answer: C
Rationale: Volatility refers to unpredictability — how often a control changes or can be altered, influencing audit consistency and forensic reliability.
Question 428
Question 428
When auditing the Software Development Life Cycle (SDLC), which of the following is one of the high-level audit phases? A. Planning B. Risk assessment C. Due diligence D. Requirements
Answer: A
Rationale: Planning is a primary high-level phase of the audit process. It establishes the audit scope, objectives, resources, and methodology before reviewing SDLC activities. Requirements is an SDLC phase, not an audit phase; Risk assessment is performed during the audit but is not categorized as a high-level SDLC audit phase; Due diligence is unrelated to SDLC auditing.
Question 429
Question 429
What is the term used to define where data is geographically stored in the cloud? A. Data privacy rights B. Data sovereignty C. Data warehouse D. Data subject rights
Answer: B
Rationale: Data sovereignty refers to legal jurisdiction governing data based on the country or region where the data physically resides.
Question 430
Question 430
Which of the following does the security design process ensure within the System Development Life Cycle (SDLC)? A. Proper security controls, security objectives, and security goals are properly initiated. B. Security objectives, security goals, and system test are properly conducted. C. Proper security controls, security goals, and fault mitigation are properly conducted. D. Security goals, proper security controls, and validation are properly initiated.
Answer: A
Rationale: During the security design phase of the SDLC, security objectives, goals, and controls are established and integrated into the system design. Validation occurs later in testing phases, not during design.
Question 431
Question 431
Which of the following is MOST important to follow when developing information security controls for an organization? A. Use industry standard best practices for security controls in the organization. B. Exercise due diligence with regard to all risk management information to tailor appropriate controls. C. Review all local and international standards and choose the most stringent based on location. D. Perform a risk assessment and choose a standard that addresses existing gaps.
Answer: B
Rationale: CISSP emphasizes a risk-based, due-diligence approach. Controls must be tailored based on the organization’s specific risks, context, and environment—not simply selected for being the most stringent or commonly used.
Question 432
Question 432
When recovering from an outage, what is the Recovery Point Objective (RPO), in terms of data recovery? A. The RPO is the minimum amount of data that needs to be recovered. B. The RPO is the amount of time it takes to recover an acceptable percentage of data lost. C. The RPO is a goal to recover a targeted percentage of data lost. D. The RPO is the maximum amount of time for which loss of data is acceptable.
Answer: D
Rationale: RPO defines the maximum acceptable period between data backups — i.e., how much data loss (in time) is tolerable following an outage.
Question 433
Question 433
Which of the following attacks, if successful, could give an intruder complete control of a software-defined networking (SDN) architecture? A. A brute force password attack on the Secure Shell (SSH) port of the controller B. Sending control messages to open a flow that does not pass a firewall from a compromised host within the network C. Remote Authentication Dial-In User Service (RADIUS) token replay attack D. Sniffing the traffic of a compromised host inside the network
Answer: B
Rationale: Compromising flow control messages allows attackers to bypass security boundaries, potentially taking full control of SDN data and control planes.
Question 434
Question 434
Which of the following is the BEST option to reduce the network attack surface of a system? A. Disabling unnecessary ports and services B. Ensuring that there are no group accounts on the system C. Uninstalling default software on the system D. Removing unnecessary system user accounts
Answer: A
Rationale: Disabling unnecessary ports and services minimizes open vectors attackers can exploit, effectively shrinking the attack surface.
Question 435
Question 435
The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the BEST solution to securely store the private keys? A. Physically secured storage device B. Trusted Platform Module (TPM) C. Encrypted flash drive D. Public key infrastructure (PKI)
Answer: B
Rationale: A Trusted Platform Module (TPM) securely stores cryptographic keys in hardware, protecting against extraction or tampering.
Question 436
Question 436
The existence of physical barriers, card and personal identification number (PIN) access systems, cameras, alarms, and security guards BEST describes this security approach? A. Access control B. Security information and event management (SIEM) C. Defense-in-depth D. Security perimeter
Answer: D
Rationale: These are perimeter security controls, designed to restrict and monitor access to physical premises at the outermost layer of defense.
Question 437
Question 437
A hospital enforces the Code of Fair Information Practices. What practice applies to a patient requesting their medical records from a web portal? A. Purpose specification B. Collection limitation C. Use limitation D. Individual participation
Answer: D
Rationale: The Individual Participation principle ensures data subjects can access, review, and correct their own records—exactly what a patient portal enables.
Question 438
Question 438
A colleague who recently left the organization asked a security professional for a copy of the organization's confidential incident management policy. Which of the following is the BEST response to this request? A. Access the policy on a company-issued device and let the former colleague view the screen. B. E-mail the policy to the colleague as they were already part of the organization and familiar with it. C. Do not acknowledge receiving the request from the former colleague and ignore them. D. Submit the request using company official channels to ensure the policy is okay to distribute.
Answer: D
Rationale: Former employees must not be given internal confidential documents. Proper handling requires escalating through official channels for review and denial.
Question 439
Question 439
Which of the following BEST describes when an organization should conduct a black box security audit on a new software project? A. When the organization wishes to check for non-functional compliance B. When the organization wants to enumerate known security vulnerabilities across their infrastructure C. When the organization is confident final source code is complete D. When the organization has experienced a security incident
Answer: C
Rationale: Black box testing is performed after development completion to validate security from an external attacker’s perspective, ensuring production readiness.
Question 440
Question 440
In software development, which of the following entities normally signs the code to protect the code integrity? A. The organization developing the code B. The quality control group C. The developer D. The data owner
Answer: A
Rationale: Code signing is performed by the organization that owns and distributes the code to ensure authenticity and integrity to end users.