CISSP Practice Questions 1001-1020

Q: During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory? A. Calculate the value of assets being accredited. B. Create a list to include in the Security Assessment and Authorization package. C. Identify obsolete hardware and software. D. Define the boundaries of the information system.

Correct answer: A. Asset inventory defines system boundaries and components, establishing what is subject to security assessment.

Q: Which of the following countermeasures is the MOST effective in defending against a social engineering attack? A. Mandating security policy acceptance B. Changing individual behavior C. Evaluating security awareness training D. Filtering malicious e-mail content

Correct answer: C. Regular, effective awareness training reinforces user vigilance and helps reduce social engineering success rates.

Q: Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an organization network? A. Provide vulnerability reports to management. B. Validate vulnerability remediation activities. C. Prevent attackers from discovering vulnerabilities. D. Remediate known vulnerabilities.

Correct answer: B. Regular scans confirm whether remediation efforts have been effective and vulnerabilities remain resolved.

Q: A security analyst for a large financial institution is reviewing network traffic related to an incident. The analyst determines the traffic is irrelevant to the investigation but in the process of the review, the analyst also finds that an applications data, which included full credit card cardholder data, is transferred in clear text between the server and user’s desktop. The analyst knows this violates the Payment Card Industry Data Security Standard (PCI-DSS). Which of the following is the analyst’s next step? A. Send the log file co-workers for peer review B. Include the full network traffic logs in the incident report C. Follow organizational processes to alert the proper teams to address the issue. D. Ignore data as it is outside the scope of the investigation and the analyst’s role.

Correct answer: C. Reporting the PCI-DSS violation through proper internal channels ensures immediate risk mitigation and compliance correction.

Q: Which of the following steps should be performed FIRST when purchasing Commercial Off-The-Shelf (COTS) software? A. undergo a security assessment as part of authorization process B. establish a risk management strategy C. harden the hosting server, and perform hosting and application vulnerability scans D. establish policies and procedures on system and services acquisition

Correct answer: D. Before acquiring COTS software, the organization must define policies and procedures for system and service acquisition to ensure all purchases meet security and compliance requirements.

Q: What is the MAIN goal of information security awareness and training? A. To inform users of the latest malware threats B. To inform users of information assurance responsibilities C. To comply with the organization information security policy D. To prepare students for certification

Correct answer: B. The primary goal of security awareness and training is to ensure all users understand their information assurance and security responsibilities.

Q: What protocol is often used between gateway hosts on the Internet? A. Exterior Gateway Protocol (EGP) B. Border Gateway Protocol (BGP) C. Open Shortest Path First (OSPF) D. Internet Control Message Protocol (ICMP)

Correct answer: B. BGP is the standard routing protocol used between Internet gateway hosts to exchange routing and reachability information.

Q: From a security perspective, which of the following assumptions MUST be made about input to an application? A. It is tested B. It is logged C. It is verified D. It is untrusted

Correct answer: D. All user inputs must be assumed untrusted to ensure proper validation and prevent injection attacks or malicious data entry.

Q: What is the MAIN reason for testing a Disaster Recovery Plan (DRP)? A. To ensure Information Technology (IT) staff knows and performs roles assigned to each of them B. To validate backup sites’ effectiveness C. To find out what does not work and fix it D. To create a high level DRP awareness among Information Technology (IT) staff

Correct answer: B. Testing a DRP verifies that backup sites and recovery strategies function effectively to support business continuity.

Q: What is the PRIMARY role of a scrum master in agile development? A. To choose the primary development language B. To choose the integrated development environment C. To match the software requirements to the delivery plan D. To project manage the software delivery

Correct answer: D. The scrum master acts as a facilitator who manages the agile process and ensures timely, efficient software delivery.

Question 1001

Question 1001

During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?
A. Calculate the value of assets being accredited.
B. Create a list to include in the Security Assessment and Authorization package.
C. Identify obsolete hardware and software.
D. Define the boundaries of the information system.

Question 1002

Question 1002

Which of the following countermeasures is the MOST effective in defending against a social engineering attack?
A. Mandating security policy acceptance
B. Changing individual behavior
C. Evaluating security awareness training
D. Filtering malicious e-mail content

Question 1003

Question 1003

Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an organization network?
A. Provide vulnerability reports to management.
B. Validate vulnerability remediation activities.
C. Prevent attackers from discovering vulnerabilities.
D. Remediate known vulnerabilities.

Question 1004

Question 1004

A security analyst for a large financial institution is reviewing network traffic related to an incident. The analyst determines the traffic is irrelevant to the investigation but in the process of the review, the analyst also finds that an applications data, which included full credit card cardholder data, is transferred in clear text between the server and user’s desktop. The analyst knows this violates the Payment Card Industry Data Security Standard (PCI-DSS). Which of the following is the analyst’s next step?
A. Send the log file co-workers for peer review
B. Include the full network traffic logs in the incident report
C. Follow organizational processes to alert the proper teams to address the issue.
D. Ignore data as it is outside the scope of the investigation and the analyst’s role.

Question 1005

Question 1005

Which of the following steps should be performed FIRST when purchasing Commercial Off-The-Shelf (COTS) software?
A. undergo a security assessment as part of authorization process
B. establish a risk management strategy
C. harden the hosting server, and perform hosting and application vulnerability scans
D. establish policies and procedures on system and services acquisition

Question 1006

Question 1006

What is the MAIN goal of information security awareness and training?
A. To inform users of the latest malware threats
B. To inform users of information assurance responsibilities
C. To comply with the organization information security policy
D. To prepare students for certification

Question 1007

Question 1007

What protocol is often used between gateway hosts on the Internet?
A. Exterior Gateway Protocol (EGP)
B. Border Gateway Protocol (BGP)
C. Open Shortest Path First (OSPF)
D. Internet Control Message Protocol (ICMP)

Question 1008

Question 1008

From a security perspective, which of the following assumptions MUST be made about input to an application?
A. It is tested
B. It is logged
C. It is verified
D. It is untrusted

Question 1009

Question 1009

What is the MAIN reason for testing a Disaster Recovery Plan (DRP)?
A. To ensure Information Technology (IT) staff knows and performs roles assigned to each of them
B. To validate backup sites’ effectiveness
C. To find out what does not work and fix it
D. To create a high level DRP awareness among Information Technology (IT) staff

Question 1010

Question 1010

What is the PRIMARY role of a scrum master in agile development?
A. To choose the primary development language
B. To choose the integrated development environment
C. To match the software requirements to the delivery plan
D. To project manage the software delivery

Question 1011

Question 1011

Which security access policy contains fixed security attributes that are used by the system to determine a user’s access to a file or object?
A. Mandatory Access Control (MAC)
B. Access Control List (ACL)
C. Discretionary Access Control (DAC)
D. Authorized user control

Question 1012

Question 1012

It is MOST important to perform which of the following to minimize potential impact when implementing a new vulnerability scanning tool in a production environment?
A. Negotiate schedule with the Information Technology (IT) operation’s team
B. Log vulnerability summary reports to a secured server
C. Enable scanning during off-peak hours
D. Establish access for Information Technology (IT) management

Question 1013

Question 1013

Which security modes is MOST commonly used in a commercial environment because it protects the integrity of financial and accounting data?
A. Biba
B. Graham-Denning
C. Clark-Wilson
D. Beil-LaPadula

Question 1014

Question 1014

Which of the following is the BEST reason for the use of security metrics?
A. They ensure that the organization meets its security objectives.
B. They provide an appropriate framework for Information Technology (IT) governance.
C. They speed up the process of quantitative risk assessment.
D. They quantify the effectiveness of security processes.

Question 1015

Question 1015

When developing solutions for mobile devices, in which phase of the Software Development Life Cycle (SDLC) should technical limitations related to devices be specified?
A. Implementation
B. Initiation
C. Review
D. Development

Question 1016

Question 1016

Mandatory Access Controls (MAC) are based on:
A. security classification and security clearance
B. data segmentation and data classification
C. data labels and user access permissions
D. user roles and data encryption

Question 1017

Question 1017

Which of the following methods of suppressing a fire is environmentally friendly and the MOST appropriate for a data center?
A. Inert gas fire suppression system
B. Halon gas fire suppression system
C. Dry-pipe sprinklers
D. Wet-pipe sprinklers

Question 1018

Question 1018

What are the steps of a risk assessment?
A. identification, analysis, evaluation
B. analysis, evaluation, mitigation
C. classification, identification, risk management
D. identification, evaluation, mitigation

Question 1019

Question 1019

Which of the following is a common characteristic of privacy?
A. Provision for maintaining an audit trail of access to the private data
B. Notice to the subject of the existence of a database containing relevant credit card data
C. Process for the subject to inspect and correct personal data on-site
D. Database requirements for integration of privacy data

Question 1020

Question 1020

What does electronic vaulting accomplish?
A. It protects critical files.
B. It ensures the fault tolerance of Redundant Array of Independent Disks (RAID) systems
C. It stripes all database records
D. It automates the Disaster Recovery Process (DRP)