Which of the following describes the order in which a digital-forensics process is usually conducted? A. Ascertain legal authority, agree upon examination strategy, conduct examination, and report results. B. Ascertain legal authority, conduct investigation, report results, and agree upon examination strategy. C. Agree upon examination strategy, ascertain legal authority, conduct examination, and report results. D. Agree upon examination strategy, ascertain legal authority, report results, and conduct examination.
Answer: A
Rationale: Proper forensic procedure begins with authorization, then planning, examination, and finally reporting — ensuring legal admissibility and chain of custody.
Question 102
Question 102
A CISO tasked with migrating to the cloud must ensure optimal security. Which should be the FIRST consideration? A. Define the cloud migration roadmap and identify which applications and data should be moved. B. Ensure the cloud contract clearly defines shared responsibilities. C. Analyze data repositories to determine control requirements. D. Request a third-party vendor risk assessment.
Answer: A
Rationale: Before assessing vendors or controls, CISSP’s secure design approach requires defining scope and assets for migration — knowing what and how much will move.
Question 103
Question 103
Which of the following is the PRIMARY purpose of due diligence when an organization embarks on a merger or acquisition? A. Assess the business risks. B. Formulate alternative strategies. C. Determine that all parties are equally protected. D. Provide adequate capability for all parties.
Answer: A
Rationale: Due diligence identifies and assesses potential security, legal, and financial risks before completing a merger — core CISSP governance practice.
Question 104
Question 104
In a large company, a system administrator needs to assign users access to files using RBAC. Which option is an example of RBAC? A. Allowing access based on group membership B. Allowing access based on username C. Allowing access based on user location D. Allowing access based on file type
Answer: A
Rationale: Role-Based Access Control ties permissions to group roles, not individuals — a fundamental CISSP concept.
Question 105
Question 105
Which of the following will an organization’s network vulnerability testing process BEST enhance? A. Firewall log review B. Asset management C. Server hardening D. Code review
Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes? A. File Integrity Checker B. Security information and event management (SIEM) system C. Audit Logs D. Intrusion Detection System (IDS)
Answer: A
Rationale: A file integrity checker (like Tripwire) detects unauthorized changes to files by comparing cryptographic hashes over time. CISSP’s operations domain uses integrity monitoring as a control against tampering.
Question 107
Question 107
Which of the following measures serves as the BEST means for protecting data on computers, smartphones, and external storage devices when traveling to high-risk countries? A. Review destination laws, forensically clean devices, and only download sensitive data via VPN B. Keep laptops and storage devices in the hotel room C. Use VPN only upon arrival D. Use MFA to unlock devices
Answer: D
Rationale: Multi-factor authentication (MFA) and strong device encryption are the most effective controls for preventing data compromise if a device is seized or stolen during travel. CISSP emphasizes MFA as a safeguard against unauthorized access in hostile environments.
Question 108
Question 108
Data remanence is the biggest threat in which of the following scenarios? A. Physical disk reused within a datacenter B. Physical disk degaussed and released C. Flash drive overwritten and reused D. Flash drive overwritten and released to third party for destruction
Answer: D
Rationale: Flash drives retain residual data even after overwriting. If released externally, data remanence risks exposure. CISSP guidance notes flash memory requires secure destruction (e.g., physical shredding).
Question 109
Question 109
What are the essential elements of a Risk Assessment Report (RAR)? A. Table of contents, testing criteria, index B. Table of contents, chapters, and executive summary C. Executive summary, graph of risks, and process D. Executive summary, body of the report, and appendices
Answer: D
Rationale: A complete Risk Assessment Report includes executive summary, detailed findings, and supporting appendices — consistent with NIST SP 800-30 guidance.
Question 110
Question 110
At the destination host, which OSI model layer will discard a segment with a bad checksum in the UDP header? A. Network B. Data link C. Transport D. Session
Answer: C
Rationale: UDP operates at the transport layer, where checksums validate integrity. Packets with incorrect checksums are dropped before reaching higher layers.
Question 111
Question 111
An organization is having an IT audit of a SaaS application to demonstrate control effectiveness over time. Which SOC report will BEST fit their needs? A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2 Type 1 D. SOC 2 Type 2
Answer: D
Rationale: SOC 2 Type 2 evaluates security, availability, confidentiality, and processing integrity controls over a period of time, meeting SaaS operational assurance requirements. Type 1 is only point-in-time.
Question 112
Question 112
Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation? A. Lower SDLC cost B. Facilitate root cause analysis (RCA) C. Enable corrective action D. Avoid lengthy reports
Answer: B
Rationale: Detailed logs support root cause analysis and accountability. CISSP logging standards require sufficient granularity to investigate incidents effectively.
Question 113
Question 113
A Distributed Denial of Service (DDoS) attack was carried out using Mirai malware. Which devices were the PRIMARY sources of attack traffic? A. Internet of Things (IoT) devices B. Microsoft Windows hosts C. Linux web servers D. Android phones
Answer: A
Rationale: The Mirai botnet exploited weakly secured IoT devices (like cameras and routers) to launch DDoS attacks — a key CISSP case study in insecure embedded systems.
Question 114
Question 114
An international organization is adopting a SaaS solution. Which compliance standard should it use to assess data security and privacy? A. HIPAA B. SOC 2 C. PCI-DSS D. IATF
Answer: B
Rationale: SOC 2 focuses on Trust Service Criteria (security, availability, confidentiality, privacy) — directly applicable to cloud and SaaS providers.
Question 115
Question 115
What documentation is produced FIRST when performing a physical loss control process? A. Deterrent controls list B. Security standards list C. Inventory list D. Asset isolation list
Answer: C
Rationale: Physical loss control begins with an inventory of assets — identifying what must be protected before applying controls. CISSP’s asset management process always starts with identification.
Question 116
Question 116
What is the PRIMARY goal of logical access controls? A. Restrict access to an information asset B. Ensure integrity C. Restrict physical access D. Ensure availability
Answer: A
Rationale: Logical access controls primarily restrict access through identification, authentication, and authorization; physical access is a separate control family.
Question 117
Question 117
Which attack, if successful, could grant full control of a software-defined networking (SDN) architecture? A. Sniffing compromised host B. Sending control messages to open unauthorized flow C. SSH brute-force on controller D. RADIUS token replay
Answer: B
Rationale: SDN separates control and data planes. If an attacker sends malicious control messages, they can manipulate network flows — gaining full network control.
Question 118
Question 118
When conducting a third-party risk assessment, which report verifies operating effectiveness of security, availability, and privacy controls? A. SOC 1 Type 2, Type 2 B. SOC 2 Type 2, Type 2 C. ISO 27001 D. ISO 27002
Answer: B
Rationale: SOC 2 Type 2 validates operational effectiveness across security, availability, confidentiality, privacy — the standard assurance report for third-party services.
Question 119
Question 119
A network security engineer must inspect URL traffic, prevent browsing to malicious sites, and log user activity. Which solution fits best? A. IDS B. Circuit-level Proxy C. Application-level Proxy D. Host-based Firewall
Answer: C
Rationale: Application-level proxies operate at the application layer and can fully inspect HTTP/HTTPS requests, including URL paths, headers, and content. They can enforce content filtering policies, block malicious sites, and log detailed user browsing activity. Circuit-level proxies only verify session setup and cannot inspect URLs, making them insufficient for these requirements.
Question 120
Question 120
Which event magnitude is defined as deadly, destructive, and disruptive when a hazard interacts with human vulnerability? A. Disaster B. Catastrophe C. Crisis D. Accident
Answer: B
Rationale: A catastrophe implies massive destruction and prolonged disruption, exceeding normal disaster recovery thresholds — key in CISSP’s risk management terminology.