CISSP Practice Questions 561-580

Q: What is the MINIMUM standard for testing a disaster recovery plan (DRP)? A. Quarterly or more frequently depending upon the advice of the information security manager B. As often as necessary depending upon stability and business requirements C. Annually or less frequently depending upon audit department requirements D. Semi-annually and in alignment with a fiscal half-year business cycle

Correct answer: D. Disaster recovery plans should be tested at least semi-annually to validate readiness and align with major business review cycles.

Q: Which security audit standard provides the BEST way for an organization to understand a vendor’s Information Systems (IS) in relation to confidentiality, integrity, and availability? A. Service Organization Control (SOC) 2 B. Statement on Standards for Attestation Engagements (SSAE) 18 C. Statement on Auditing Standards (SAS) 70 D. Service Organization Control (SOC) 1

Correct answer: D. SOC 1 focuses on controls relevant to financial reporting, while SOC 2 specifically addresses confidentiality, integrity, and availability.

Q: An application team is running tests to ensure that user entry fields will not accept invalid input of any length. What type of negative testing is this an example of? A. Allowed number of characters B. Population of required fields C. Reasonable data D. Session testing

Correct answer: B. Negative testing for required field population ensures systems properly reject invalid or incomplete user input.

Q: An organization is partnering with a third-party cloud supplier that provides security controls while the organization provides only data. Which of the following BEST describes this service offering? A. Platform as a Service (PaaS) B. Anything as a Service (XaaS) C. Infrastructure as a Service (IaaS) D. Software as a Service (SaaS)

Correct answer: A. In PaaS, the provider manages the platform and security, while the organization manages its data and applications.

Q: Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used? A. Mandatory Access Control (MAC) and Discretionary Access Control (DAC) B. Discretionary Access Control (DAC) and Access Control List (ACL) C. Role Based Access Control (RBAC) and Mandatory Access Control (MAC) D. Role Based Access Control (RBAC) and Access Control List (ACL)

Correct answer: D. ABAC uses RBAC and ACL-like attribute structures to determine access dynamically based on multiple contextual parameters.

Q: Which of the following is the MOST significant key management problem due to the number of keys created? A. Exponential growth when using symmetric keys B. Exponential growth when using asymmetric keys C. Storage of the keys requires increased security D. Keys are more difficult to provision and revoke

Correct answer: C. As the number of keys grows, securely storing and protecting them becomes complex and introduces management challenges.

Q: A CISSP is asked to perform a vulnerability assessment for PCI compliance but has never done so before. According to (ISC)² Code of Ethics, what should the CISSP do? A. Inform the CISO they are unable to perform the task because they must only offer services for which they are competent B. Since certified, attempt with assistance to complete the assessment C. Review CISSP guidelines before performing the assessment D. Review PCI requirements before performing the assessment

Correct answer: B. The (ISC)² Code of Ethics requires CISSPs to provide competent service. If they lack specific experience, they must still perform the task by seeking guidance or supervision, ensuring the work delivered is competent rather than refusing the assignment outright.

Q: While performing a security review for a new product, a security professional learns that the product team plans to use government-issued IDs as unique customer identifiers. What should be recommended? A. Customer identifiers should be a variant of the user’s government-issued ID number B. Customer identifiers should be a cryptographic hash of the user’s government-issued ID number C. Customer identifiers that do not resemble the user’s government-issued ID number should be used D. Customer identifiers should be based on the user’s name, such as “jdoe”

Correct answer: C. Customer identifiers must not be derived from or resemble government-issued IDs to avoid privacy, correlation, and regulatory compliance issues. Identifiers must be random or unrelated to sensitive personal data.

Q: The development team collects biometric data in a secure testing environment. During testing, data from an old production database is used. What principle must the team consider? A. Biometric data cannot be changed B. The biometric devices are unknown C. Biometric data must be protected from disclosure D. Separate biometric data streams require increased security

Correct answer: A. Unlike passwords, biometric data is immutable; once compromised, it cannot be replaced, so extra care must be taken during testing.

Q: During firewall implementation, which failure method BEST prioritizes security? A. Failover B. Fail-Closed C. Fail-Safe D. Fail-Open

Correct answer: B. Fail-Closed ensures that in the event of a system failure, network traffic is blocked rather than allowed, prioritizing security.

Question 561

Question 561

What is the MINIMUM standard for testing a disaster recovery plan (DRP)?
A. Quarterly or more frequently depending upon the advice of the information security manager
B. As often as necessary depending upon stability and business requirements
C. Annually or less frequently depending upon audit department requirements
D. Semi-annually and in alignment with a fiscal half-year business cycle

Question 562

Question 562

Which security audit standard provides the BEST way for an organization to understand a vendor’s Information Systems (IS) in relation to confidentiality, integrity, and availability?
A. Service Organization Control (SOC) 2
B. Statement on Standards for Attestation Engagements (SSAE) 18
C. Statement on Auditing Standards (SAS) 70
D. Service Organization Control (SOC) 1

Question 563

Question 563

An application team is running tests to ensure that user entry fields will not accept invalid input of any length. What type of negative testing is this an example of?
A. Allowed number of characters
B. Population of required fields
C. Reasonable data
D. Session testing

Question 564

Question 564

An organization is partnering with a third-party cloud supplier that provides security controls while the organization provides only data. Which of the following BEST describes this service offering?
A. Platform as a Service (PaaS)
B. Anything as a Service (XaaS)
C. Infrastructure as a Service (IaaS)
D. Software as a Service (SaaS)

Question 565

Question 565

Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used?
A. Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
B. Discretionary Access Control (DAC) and Access Control List (ACL)
C. Role Based Access Control (RBAC) and Mandatory Access Control (MAC)
D. Role Based Access Control (RBAC) and Access Control List (ACL)

Question 566

Question 566

Which of the following is the MOST significant key management problem due to the number of keys created?
A. Exponential growth when using symmetric keys
B. Exponential growth when using asymmetric keys
C. Storage of the keys requires increased security
D. Keys are more difficult to provision and revoke

Question 567

Question 567

A CISSP is asked to perform a vulnerability assessment for PCI compliance but has never done so before. According to (ISC)² Code of Ethics, what should the CISSP do?
A. Inform the CISO they are unable to perform the task because they must only offer services for which they are competent
B. Since certified, attempt with assistance to complete the assessment
C. Review CISSP guidelines before performing the assessment
D. Review PCI requirements before performing the assessment

Question 568

Question 568

While performing a security review for a new product, a security professional learns that the product team plans to use government-issued IDs as unique customer identifiers. What should be recommended?
A. Customer identifiers should be a variant of the user’s government-issued ID number
B. Customer identifiers should be a cryptographic hash of the user’s government-issued ID number
C. Customer identifiers that do not resemble the user’s government-issued ID number should be used
D. Customer identifiers should be based on the user’s name, such as “jdoe”

Question 569

Question 569

The development team collects biometric data in a secure testing environment. During testing, data from an old production database is used. What principle must the team consider?
A. Biometric data cannot be changed
B. The biometric devices are unknown
C. Biometric data must be protected from disclosure
D. Separate biometric data streams require increased security

Question 570

Question 570

During firewall implementation, which failure method BEST prioritizes security?
A. Failover
B. Fail-Closed
C. Fail-Safe
D. Fail-Open

Question 571

Question 571

Which of the following services can integrate with Identity as a Service (IDaaS) as the authoritative source of user identities?
A. Multi-factor authentication (MFA)
B. Directory
C. User database
D. Single sign-on (SSO)

Question 572

Question 572

Which of the following statements is TRUE about Secure Shell (SSH)?
A. SSH supports port forwarding, which can be used to protect less secured protocols
B. SSH does not protect against man-in-the-middle (MITM) attacks
C. SSH is easy to deploy because it requires a web browser only
D. SSH can be used with almost any application because it maintains a circuit

Question 573

Question 573

What is considered a compensating control for not having electrical surge protectors installed?
A. Having dual lines to network service providers built to the site
B. Having a hot disaster recovery (DR) environment for the site
C. Having network equipment in active-active clusters at the site
D. Having backup diesel generators installed to the site

Question 574

Question 574

What is the FIRST step in risk management?
A. Identify the factors that have potential to impact business
B. Establish the scope and actions required
C. Identify existing controls in the environment
D. Establish the expectations of stakeholder involvement

Question 575

Question 575

Which of the following is the PRIMARY goal of logical access controls?
A. Restrict access to an information asset
B. Ensure availability of an information asset
C. Restrict physical access to an information asset
D. Ensure integrity of an information asset

Question 576

Question 576

Which of the following is a covert channel type?
A. Pipe
B. Memory
C. Storage
D. Monitoring

Question 577

Question 577

A software developer wishes to write code that will execute safely and only as intended. Which programming language type is MOST likely to achieve this goal?
A. Weakly typed
B. Dynamically typed
C. Strongly typed
D. Statically typed

Question 578

Question 578

Which role ensures that important datasets are developed, maintained, and accessible within defined specifications?
A. Data Custodian
B. Data Reviewer
C. Data User
D. Data Owner

Question 579

Question 579

What is static analysis intended to do when analyzing an executable file?
A. Search documents and files associated with the executable file
B. Analyze the position of the file in the file system and its libraries
C. Collect evidence of usage and file creation details
D. Disassemble the file to gather information about the executable file’s function

Question 580

Question 580

A network security engineer must ensure that URL traffic is inspected and malicious sites are blocked. Which solution should be implemented?
A. Application-Level Proxy
B. Intrusion detection system (IDS)
C. Host-based Firewall
D. Circuit-Level Proxy