CISSP Practice Questions 41-60

Q: Which of the following examples is BEST to minimize the attack surface for a customer’s private information? A. Obfuscation B. Collection limitation C. Authentication D. Data masking

Correct answer: A. Obfuscation conceals sensitive data elements, reducing what is exposed to attackers. While data-masking (D) hides values for specific views, obfuscation provides generalized protection against direct analysis — consistent with privacy-by-design principles tested in CISSP.

Q: Which element of software supply-chain management has the GREATEST security risk to organizations? A. New software development skills are hard to acquire. B. Unsupported libraries are often used. C. Applications with multiple contributors are difficult to evaluate. D. Vulnerabilities are difficult to detect.

Correct answer: B. Use of unsupported or unpatched libraries introduces persistent vulnerabilities without vendor fixes. CISSP supply-chain management stresses dependency security and component lifecycle awareness as highest risk compared with skills or evaluation complexity.

Q: Which of the following actions should be taken by a security professional when a mission-critical computer-network attack is suspected? A. Isolate the network, log an independent report, fix the problem, and redeploy the computer. B. Isolate the network, install patches, and report the occurrence. C. Prioritize, report, and investigate the occurrence. D. Turn the router off, perform forensic analysis, apply the appropriate fix, and log incidents.

Correct answer: C. CISSP incident-response lifecycle begins with detection → reporting → analysis. Immediate isolation or remediation before reporting can destroy evidence. Prioritizing and reporting align with structured IR processes (NIST 800-61).

Q: Which of the following is a term used to describe maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk-management decisions? A. Information Security Management System (ISMS) B. Information Sharing & Analysis Centers (ISAC) C. Risk Management Framework (RMF) D. Information Security Continuous Monitoring (ISCM)

Correct answer: D. ISCM specifically means continuous security monitoring for situational awareness and risk decisions. ISMS governs the program, RMF manages risk lifecycle, and ISACs share threat intel. CISSP Domain 7 explicitly maps this term to NIST SP 800-137.

Q: What is the BEST control to be implemented at a login page in a web application to mitigate the ability to enumerate users? A. Implement a generic response for a failed login attempt. B. Implement a strong password during account registration. C. Implement numbers and special characters in the user name. D. Implement two-factor authentication (2FA) to login process.

Correct answer: A. Enumeration occurs when distinct error messages reveal valid usernames. Generic failure messages (“invalid username or password”) prevent this disclosure. Strong passwords and 2FA strengthen authentication but don’t stop enumeration.

Q: An established information-technology (IT) consulting firm is considering acquiring a successful local startup. To gain a comprehensive understanding of the startup’s security posture, which type of assessment provides the BEST information? A. A security audit B. A penetration test C. A tabletop exercise D. A security threat model

Correct answer: A. A security audit evaluates compliance, controls, and overall posture — the broadest assessment type. Pen tests and threat models are narrower. CISSP emphasizes due diligence via audits during mergers and acquisitions.

Q: Which of the following phases in the software-acquisition process does developing evaluation criteria take place? A. Follow-On B. Planning C. Contracting D. Monitoring and Acceptance

Correct answer: B. Evaluation criteria are established during the planning and requirements phase before system acquisition or development.

Q: A network administrator is designing a new datacenter in a different region that will need to communicate to the old datacenter with a secure connection. Which of the following access methods would provide the BEST security for this new datacenter? A. Virtual network computing B. Secure Socket Shell C. In-band connection D. Site-to-site VPN

Correct answer: D. A site-to-site VPN encrypts data between entire networks over untrusted links, ideal for datacenter-to-datacenter communication. SSH is for single sessions; in-band adds risk by sharing production channels.

Q: When developing an external-facing web-based system, which of the following would be the MAIN focus of the security assessment prior to implementation and production? A. Assessing the Uniform Resource Locator (URL) B. Ensuring Secure Sockets Layer (SSL) certificates are signed by a certificate authority C. Ensuring that input validation is enforced D. Ensuring Secure Sockets Layer (SSL) certificates are internally signed

Correct answer: B. For public-facing systems, SSL/TLS certificates must be trusted by browsers — meaning signed by a recognized CA. Internal signing would cause trust errors. Input validation is critical later but the key external-facing concern is certificate trust chain integrity.

Q: Which of the following services can be deployed via a cloud service or on-premises to integrate with Identity as a Service (IDaaS) as the authoritative source of user identities? A. Directory B. User database C. Multi-factor authentication (MFA) D. Single sign-on (SSO)

Correct answer: A. Directory services (e.g., Active Directory, LDAP) maintain authoritative identity sources that IDaaS consumes. MFA and SSO rely on directories but don’t store core identities themselves.

Question 41

Question 41

Which of the following examples is BEST to minimize the attack surface for a customer’s private information?
A. Obfuscation
B. Collection limitation
C. Authentication
D. Data masking

Question 42

Question 42

Which element of software supply-chain management has the GREATEST security risk to organizations?
A. New software development skills are hard to acquire.
B. Unsupported libraries are often used.
C. Applications with multiple contributors are difficult to evaluate.
D. Vulnerabilities are difficult to detect.

Question 43

Question 43

Which of the following actions should be taken by a security professional when a mission-critical computer-network attack is suspected?
A. Isolate the network, log an independent report, fix the problem, and redeploy the computer.
B. Isolate the network, install patches, and report the occurrence.
C. Prioritize, report, and investigate the occurrence.
D. Turn the router off, perform forensic analysis, apply the appropriate fix, and log incidents.

Question 44

Question 44

Which of the following is a term used to describe maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk-management decisions?
A. Information Security Management System (ISMS)
B. Information Sharing & Analysis Centers (ISAC)
C. Risk Management Framework (RMF)
D. Information Security Continuous Monitoring (ISCM)

Question 45

Question 45

What is the BEST control to be implemented at a login page in a web application to mitigate the ability to enumerate users?
A. Implement a generic response for a failed login attempt.
B. Implement a strong password during account registration.
C. Implement numbers and special characters in the user name.
D. Implement two-factor authentication (2FA) to login process.

Question 46

Question 46

An established information-technology (IT) consulting firm is considering acquiring a successful local startup. To gain a comprehensive understanding of the startup’s security posture, which type of assessment provides the BEST information?
A. A security audit
B. A penetration test
C. A tabletop exercise
D. A security threat model

Question 47

Question 47

Which of the following phases in the software-acquisition process does developing evaluation criteria take place?
A. Follow-On
B. Planning
C. Contracting
D. Monitoring and Acceptance

Question 48

Question 48

A network administrator is designing a new datacenter in a different region that will need to communicate to the old datacenter with a secure connection. Which of the following access methods would provide the BEST security for this new datacenter?
A. Virtual network computing
B. Secure Socket Shell
C. In-band connection
D. Site-to-site VPN

Question 49

Question 49

When developing an external-facing web-based system, which of the following would be the MAIN focus of the security assessment prior to implementation and production?
A. Assessing the Uniform Resource Locator (URL)
B. Ensuring Secure Sockets Layer (SSL) certificates are signed by a certificate authority
C. Ensuring that input validation is enforced
D. Ensuring Secure Sockets Layer (SSL) certificates are internally signed

Question 50

Question 50

Which of the following services can be deployed via a cloud service or on-premises to integrate with Identity as a Service (IDaaS) as the authoritative source of user identities?
A. Directory
B. User database
C. Multi-factor authentication (MFA)
D. Single sign-on (SSO)

Question 51

Question 51

What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?
A. Configuration management (CM)
B. Information Rights Management (IRM)
C. Policy creation
D. Data classification

Question 52

Question 52

Using the cipher text and resultant clear-text message to derive the non-alphabetic cipher key is an example of which method of cryptanalytic attack?
A. Frequency analysis
B. Ciphertext-only attack
C. Probable-plaintext attack
D. Known-plaintext attack

Question 53

Question 53

When configuring Extensible Authentication Protocol (EAP) in a Voice over Internet Protocol (VoIP) network, which of the following authentication types is the MOST secure?
A. EAP-Transport Layer Security (TLS)
B. EAP-Flexible Authentication via Secure Tunneling
C. EAP-Tunneled Transport Layer Security (TTLS)
D. EAP-Protected Extensible Authentication Protocol (PEAP)

Question 54

Question 54

Which of the following is included in change management?
A. Business continuity testing
B. User Acceptance Testing (UAT) before implementation
C. Technical review by business owner
D. Cost-benefit analysis (CBA) after implementation

Question 55

Question 55

Which of the following is the MOST common cause of system or security failures?
A. Lack of system documentation
B. Lack of physical security controls
C. Lack of change control
D. Lack of logging and monitoring

Question 56

Question 56

Which of the following are mandatory canons for the (ISC)² Code of Ethics?
A. Develop comprehensive security strategies for the organization.
B. Perform is, honestly, fairly, responsibly, and lawfully for the organization.
C. Create secure data protection policies to principals.
D. Provide diligent and competent service to principals.

Question 57

Question 57

In the last 15 years a company has experienced three electrical failures. The cost associated with each failure is listed below. Which of the following would be a reasonable annual loss expectation?

Availability 60,000
Integrity 10,000
Confidentiality 0
Total Impact: 70,000
A. 140,000
B. 3,500
C. 350,000
D. 14,000

Question 58

Question 58

Which of the following describes the BEST method of maintaining the inventory of software and hardware within the organization?
A. Maintaining the inventory through a combination of asset owner interviews, open-source system management, and open-source management tools
B. Maintaining the inventory through a combination of desktop configuration, administration management, and procurement management tools
C. Maintaining the inventory through a combination of on-premise storage configuration, cloud management, and partner management tools
D. Maintaining the inventory through a combination of system configuration, network management, and license management tools

Question 59

Question 59

When testing password strength, which of the following is the BEST method for brute forcing passwords?
A. Conduct an offline attack on the hashed password information.
B. Conduct an online password attack until the account being used is locked.
C. Use a comprehensive list of words to attempt to guess the password.
D. Use social-engineering methods to attempt to obtain the password.

Question 60

Question 60

A security professional was tasked with rebuilding a company’s wireless infrastructure. Which of the following are the MOST important factors to consider while making a decision on which wireless spectrum to deploy?
A. Hybrid frequency band, service set identifier (SSID), and interpolation
B. Performance, geographic location, and radio signal interference
C. Facility size, intermodulation, and direct satellite service
D. Existing client devices, manufacturer reputation, and electrical interference