CISSP Practice Questions 821-840

Q: The overall goal of a penetration test is to determine a system's A. ability to withstand an attack. B. capacity management. C. error recovery capabilities. D. reliability under stress.

Correct answer: A. Penetration testing assesses how effectively a system resists unauthorized access and attacks.

Q: Which security action should be taken FIRST when computer personnel are terminated from their jobs? A. Remove their computer access B. Require them to turn in their badge C. Conduct an exit interview D. Reduce their physical access level to the facility

Correct answer: A. Immediately disabling system access prevents the risk of malicious or unauthorized activity after termination.

Q: The Structured Query Language (SQL) implements Discretionary Access Controls (DAC) using A. INSERT and DELETE. B. GRANT and REVOKE. C. PUBLIC and PRIVATE. D. ROLLBACK and TERMINATE.

Correct answer: B. SQL uses GRANT to provide and REVOKE to remove access permissions, implementing DAC.

Q: Which one of the following considerations has the LEAST impact when considering transmission security? A. Network availability B. Data integrity C. Network bandwidth D. Node locations

Correct answer: C. Bandwidth affects performance, not security. Transmission security depends mainly on integrity, availability, and node protection.

Q: The stringency of an Information Technology (IT) security assessment will be determined by the A. system's past security record. B. size of the system's database. C. sensitivity of the system's data. D. age of the system.

Correct answer: C. Systems with highly sensitive data require more stringent and comprehensive assessments.

Q: Including a Trusted Platform Module (TPM) in the design of a computer system is an example of a technique to what? A. Interface with the Public Key Infrastructure (PKI) B. Improve the quality of security software C. Prevent Denial of Service (DoS) attacks D. Establish a secure initial state

Correct answer: D. TPM ensures trusted boot and secure initialization by verifying the integrity of system components.

Q: Which of the following is an authentication protocol in which a new random number is generated uniquely for each login session? A. Challenge Handshake Authentication Protocol (CHAP) B. Point-to-Point Protocol (PPP) C. Extensible Authentication Protocol (EAP) D. Password Authentication Protocol (PAP)

Correct answer: A. CHAP uses a unique challenge (random number) for each authentication session to prevent replay attacks.

Q: Which of the following is the best practice for testing a Business Continuity Plan (BCP)? A. Test before the IT Audit B. Test when environment changes C. Test after installation of security patches D. Test after implementation of system patches

Correct answer: B. BCP testing should occur whenever significant environmental or operational changes occur to ensure continued validity.

Q: A security professional has just completed their organization's Business Impact Analysis (BIA). Following Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) best practices, what would be the professional's NEXT step? A. Identify and select recovery strategies. B. Present the findings to management for funding. C. Select members for the organization's recovery teams. D. Prepare a plan to test the organization's ability to recover its operations.

Correct answer: A. After completing a BIA, the next logical step is selecting appropriate recovery strategies based on impact findings.

Q: In a financial institution, who has the responsibility for assigning the classification to a piece of information? A. Chief Financial Officer (CFO) B. Chief Information Security Officer (CISO) C. Originator or nominated owner of the information D. Department head responsible for ensuring the protection of the information

Correct answer: C. The data originator or assigned owner understands its content and determines the appropriate classification.

Question 821

Question 821

The overall goal of a penetration test is to determine a system's
A. ability to withstand an attack.
B. capacity management.
C. error recovery capabilities.
D. reliability under stress.

Question 822

Question 822

Which security action should be taken FIRST when computer personnel are terminated from their jobs?
A. Remove their computer access
B. Require them to turn in their badge
C. Conduct an exit interview
D. Reduce their physical access level to the facility

Question 823

Question 823

The Structured Query Language (SQL) implements Discretionary Access Controls (DAC) using
A. INSERT and DELETE.
B. GRANT and REVOKE.
C. PUBLIC and PRIVATE.
D. ROLLBACK and TERMINATE.

Question 824

Question 824

Which one of the following considerations has the LEAST impact when considering transmission security?
A. Network availability
B. Data integrity
C. Network bandwidth
D. Node locations

Question 825

Question 825

The stringency of an Information Technology (IT) security assessment will be determined by the
A. system's past security record.
B. size of the system's database.
C. sensitivity of the system's data.
D. age of the system.

Question 826

Question 826

Including a Trusted Platform Module (TPM) in the design of a computer system is an example of a technique to what?
A. Interface with the Public Key Infrastructure (PKI)
B. Improve the quality of security software
C. Prevent Denial of Service (DoS) attacks
D. Establish a secure initial state

Question 827

Question 827

Which of the following is an authentication protocol in which a new random number is generated uniquely for each login session?
A. Challenge Handshake Authentication Protocol (CHAP)
B. Point-to-Point Protocol (PPP)
C. Extensible Authentication Protocol (EAP)
D. Password Authentication Protocol (PAP)

Question 828

Question 828

Which of the following is the best practice for testing a Business Continuity Plan (BCP)?
A. Test before the IT Audit
B. Test when environment changes
C. Test after installation of security patches
D. Test after implementation of system patches

Question 829

Question 829

A security professional has just completed their organization's Business Impact Analysis (BIA). Following Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) best practices, what would be the professional's NEXT step?
A. Identify and select recovery strategies.
B. Present the findings to management for funding.
C. Select members for the organization's recovery teams.
D. Prepare a plan to test the organization's ability to recover its operations.

Question 830

Question 830

In a financial institution, who has the responsibility for assigning the classification to a piece of information?
A. Chief Financial Officer (CFO)
B. Chief Information Security Officer (CISO)
C. Originator or nominated owner of the information
D. Department head responsible for ensuring the protection of the information

Question 831

Question 831

When building a data center, site location and construction factors that increase the level of vulnerability to physical threats include
A. hardened building construction with consideration of seismic factors.
B. adequate distance from and lack of access to adjacent buildings.
C. curved roads approaching the data center.
D. proximity to high crime areas of the city.

Question 832

Question 832

The PRIMARY purpose of a security awareness program is to
A. ensure that everyone understands the organization's policies and procedures.
B. communicate that access to information will be granted on a need-to-know basis.
C. warn all users that access to all systems will be monitored on a daily basis.
D. comply with regulations related to data and information protection.

Question 833

Question 833

The BEST method of demonstrating a company's security level to potential customers is
A. a report from an external auditor.
B. responding to a customer's security questionnaire.
C. a formal report from an internal auditor.
D. a site visit by a customer's security team.

Question 834

Question 834

Which one of the following is the MOST important in designing a biometric access system if it is essential that no one other than authorized individuals are admitted?
A. False Acceptance Rate (FAR)
B. False Rejection Rate (FRR)
C. Crossover Error Rate (CER)
D. Rejection Error Rate

Question 835

Question 835

Which of the following is an essential element of a privileged identity lifecycle management?
A. Regularly perform account re-validation and approval
B. Account provisioning based on multi-factor authentication
C. Frequently review performed activities and request justification
D. Account information to be provided by supervisor or line manager

Question 836

Question 836

A practice that permits the owner of a data object to grant other users access to that object would usually provide
A. Mandatory Access Control (MAC).
B. owner-administered control.
C. owner-dependent access control.
D. Discretionary Access Control (DAC).

Question 837

Question 837

Which of the following is a security feature of Global Systems for Mobile Communications (GSM)?
A. It uses a Subscriber Identity Module (SIM) for authentication.
B. It uses encrypting techniques for all communications.
C. The radio spectrum is divided with multiple frequency carriers.
D. The signal is difficult to read as it provides end-to-end encryption.

Question 838

Question 838

Which of the following assessment metrics is BEST used to understand a system's vulnerability to potential exploits?
A. Determining the probability that the system functions safely during any time period
B. Quantifying the system's available services
C. Identifying the number of security flaws within the system
D. Measuring the system's integrity in the presence of failure

Question 839

Question 839

The use of strong authentication, the encryption of Personally Identifiable Information (PII) on database servers, application security reviews, and the encryption of data transmitted across networks provide
A. data integrity.
B. defense in depth.
C. data availability.
D. non-repudiation.

Question 840

Question 840

What would be the PRIMARY concern when designing and coordinating a security assessment for an Automatic Teller Machine (ATM) system?
A. Physical access to the electronic hardware
B. Regularly scheduled maintenance process
C. Availability of the network connection
D. Processing delays