CISSP Practice Questions (121–140)

Answer: A

Rationale: The OWASP Top 10 lists the most critical web application vulnerabilities — a global reference for application security programs.

Answer: A

Rationale: CISSP defines 'Examine' as reviewing documentation, configurations, records, or logs without executing code or directly manipulating systems. Reviewing system logs is a non-intrusive documentation-based activity and best represents the Examine method. Logging in with default credentials is considered Testing, not Examining.

Answer: C

Rationale: HR manages employment lifecycle — the authoritative source for onboarding/offboarding triggers for account management.

Answer: A

Rationale: Virtualization supports rapid restoration and replication of systems, reducing downtime — aligning with tighter RTO objectives.

Answer: B

Rationale: The Reference Monitor enforces access control policy decisions, mediating all access to objects based on system security model.

Answer: A

Rationale: Independence ensures unbiased assessments and integrity of audit results — a fundamental CISSP audit principle.

Answer: D

Rationale: Overwriting (logical clearing) securely removes data from storage while preserving the hardware for resale. Purging methods such as degaussing or physical destruction eliminate reuse value. Overwriting meets security needs while maintaining the resale value of the drives.

Answer: D

Rationale: Classification helps define the level of protection and controls appropriate for each information type — foundational for CISSP asset management.

Answer: D

Rationale: OWASP SAMM emphasizes risk response maturity — how effectively an organization reacts and mitigates software security risks.

Answer: A

Rationale: An Optical Time-Domain Reflectometer (OTDR) locates breaks and signal loss points in fiber optics — essential for telecom troubleshooting.

Answer: B

Rationale: Content Delivery Networks (CDNs) rely on caching for latency reduction — ensuring global scalability and performance.

Answer: B

Rationale: Fibre Channel over Ethernet (FCoE) integrates storage and data traffic efficiently across SDN fabrics — scalable beyond single datacenters.

Answer: D

Rationale: OCSP validates the current revocation status of a digital certificate in real time — confirming it’s still trusted and not revoked.

Would you like me to continue formatting these into your two-column PDF layout (Question #+ Options vs Answer & Rationale side-by-side) like before?

Answer: B

Rationale: Non-repudiation is achieved with asymmetric encryption (digital signatures) ensuring sender authenticity and integrity verification.

Answer: B

Rationale: Defining the scope ensures that the audit boundaries, systems, and objectives are clear before any review begins. CISSP stresses scoping as the foundation of the audit lifecycle.

Answer: A

Rationale: Documenting the disaster damage with photos and videos is a critical first step to preserve evidence for insurance and post-incident review. CISSP BCP/DRP best practices require evidence collection before remediation.

Answer: D

Rationale: OCSP provides real-time validation of a certificate’s revocation status — confirming its validity without requiring a full Certificate Revocation List (CRL). It’s the modern, faster replacement for CRLs.

Answer: C

Rationale: BGP autonomous system number updates require propagation across global routing infrastructure and often require coordination with ISPs, making them slower than DNS propagation or local configuration changes. Because BGP routing changes take longer to stabilize worldwide, this step has the longest recovery time.

Answer: C

Rationale: According to the (ISC)² Code of Ethics, professionals must first protect the public, then uphold the profession, then employers/principals, and finally individuals. This hierarchy preserves professional integrity and societal trust.

Answer: D

Rationale: Content-Security-Policy (CSP) restricts allowed content sources, preventing inline script execution and mitigating XSS attacks — a key CISSP control in web application security.