CISSP Practice Questions 141-160

Q: Configuring a rogue WAP with the same SSID as a legitimate WAP to trick users into connecting is an example of: A. Jamming B. Man-in-the-Middle (MITM) C. War driving D. IP spoofing

Correct answer: B. A MITM attack via Evil Twin AP captures traffic from unsuspecting users who connect to the attacker’s access point — a known wireless security threat in CISSP.

Q: Which of the following is a key responsibility for a data steward assigned to manage an enterprise data lake? A. Ensure proper business definition, value, and data usage. B. Ensure data owners for each element. C. Ensure adequate security controls. D. Ensure data passing is lawful.

Correct answer: A. A data steward manages data quality, business definitions, and usage — ensuring enterprise-wide consistency and meaning. Security is the responsibility of data custodians, not stewards.

Q: Which (ISC)² Code of Ethics canon is MOST reflected when preserving the value of systems, applications, and entrusted information? A. Act honorably, honestly, justly, responsibly, and legally. B. Protect society, the commonwealth, and the infrastructure. C. Provide competent service. D. Advance the profession.

Correct answer: B. Protecting systems and data directly aligns with the second canon: “Protect society, the commonwealth, and the infrastructure.” CISSP ethics emphasize global good before personal or organizational interests.

Q: Which change management role is responsible for the overall success of the project and supporting change throughout the organization? A. Change driver B. Change implementer C. Program sponsor D. Project manager

Correct answer: D. The Project Manager ensures coordination, communication, and successful delivery of change initiatives — integrating technical and business objectives under change management governance.

Q: A subscription site with power, HVAC, raised flooring, and telecom but no hardware is a: A. Warm site B. Reciprocal site C. Cold site D. Hot site

Correct answer: C. A cold site provides infrastructure (space, power, network) but lacks preinstalled systems. It has the lowest cost and longest recovery time — critical in BCP classification.

Q: Which of the following is a correct feature of VLANs? A. VLANs segregate traffic and enhance security. B. Layer 3 routing is required to move VLANs. C. VLANs depend on physical connections. D. VLANs have no broadcast control.

Correct answer: A. VLANs logically segment networks, limiting broadcast domains and isolating traffic, which enhances both performance and security — a common CISSP network control.

Q: What is the MOST important factor in an effective Security Awareness Program? A. Management buy-in B. Annual training events C. Mandatory security training D. Posters and emails

Correct answer: C. Mandatory participation ensures consistency across the workforce. Awareness programs must be comprehensive and recurring to change behavior effectively.

Q: Which is the MOST appropriate method for destroying HDDs with HIGH security classification? A. Drill through platters B. Shred C. Remove electronics D. Degauss

Correct answer: D. For magnetic HDDs with highly classified data, CISSP expects degaussing as the purge method per legacy NIST 800‑88/DoD logic. Note: real-world 800‑88r1 often prefers physical destruction; CISSP exam still selects degauss for magnetic HDDs.

Q: A SOC found multiple virus variants all using specific memory locations. The organization prevented infection because endpoints had which feature? A. Process isolation B. TPM C. ASLR D. Virtualization

Correct answer: C. Address Space Layout Randomization (ASLR) randomizes memory address allocation, preventing predictable exploitation by malware — key in CISSP’s system hardening controls.

Q: During an ISMS audit, when are nonconformities reviewed and corrected? A. Planning B. Operation C. Assessment D. Improvement

Correct answer: B. The Operation stage in ISO 27001/27005 cycles involves executing corrective actions to address nonconformities found in audits.

Question 141

Question 141

Configuring a rogue WAP with the same SSID as a legitimate WAP to trick users into connecting is an example of:
A. Jamming
B. Man-in-the-Middle (MITM)
C. War driving
D. IP spoofing

Question 142

Question 142

Which of the following is a key responsibility for a data steward assigned to manage an enterprise data lake?
A. Ensure proper business definition, value, and data usage.
B. Ensure data owners for each element.
C. Ensure adequate security controls.
D. Ensure data passing is lawful.

Question 143

Question 143

Which (ISC)² Code of Ethics canon is MOST reflected when preserving the value of systems, applications, and entrusted information?
A. Act honorably, honestly, justly, responsibly, and legally.
B. Protect society, the commonwealth, and the infrastructure.
C. Provide competent service.
D. Advance the profession.

Question 144

Question 144

Which change management role is responsible for the overall success of the project and supporting change throughout the organization?
A. Change driver
B. Change implementer
C. Program sponsor
D. Project manager

Question 145

Question 145

A subscription site with power, HVAC, raised flooring, and telecom but no hardware is a:
A. Warm site
B. Reciprocal site
C. Cold site
D. Hot site

Question 146

Question 146

Which of the following is a correct feature of VLANs?
A. VLANs segregate traffic and enhance security.
B. Layer 3 routing is required to move VLANs.
C. VLANs depend on physical connections.
D. VLANs have no broadcast control.

Question 147

Question 147

What is the MOST important factor in an effective Security Awareness Program?
A. Management buy-in
B. Annual training events
C. Mandatory security training
D. Posters and emails

Question 148

Question 148

Which is the MOST appropriate method for destroying HDDs with HIGH security classification?
A. Drill through platters
B. Shred
C. Remove electronics
D. Degauss

Question 149

Question 149

A SOC found multiple virus variants all using specific memory locations. The organization prevented infection because endpoints had which feature?
A. Process isolation
B. TPM
C. ASLR
D. Virtualization

Question 150

Question 150

During an ISMS audit, when are nonconformities reviewed and corrected?
A. Planning
B. Operation
C. Assessment
D. Improvement

Question 151

Question 151

Which are the three main categories of security controls?
A. Administrative, technical, physical
B. Corrective, detective, recovery
C. Confidentiality, integrity, availability
D. Preventative, corrective, detective

Question 152

Question 152

When encrypting data using symmetric ciphers, which approach mitigates risk of key reuse?
A. Use SHA-256
B. Use key hierarchy
C. Use HMAC
D. Use RSA keys

Question 153

Question 153

What is a common component of big data environments?
A. Consolidated data
B. Distributed storage
C. Distributed data collection
D. Centralized processing

Question 154

Question 154

Which programming language type is MOST likely to ensure safe execution as intended?
A. Statically typed
B. Weakly typed
C. Strongly typed
D. Dynamically typed

Question 155

Question 155

What should a business do if it refuses to accept residual risk?
A. Notify the audit committee
B. Purchase insurance
C. Implement safeguards
D. Transfer to another unit

Question 156

Question 156

Which of the following is the FIRST step an organization’s security professional performs when defining a cybersecurity program based upon industry standards?
A. Map the organization’s current security practices to industry standards and frameworks.
B. Define the organization’s objectives regarding security and risk mitigation.
C. Select from a choice of security best practices.
D. Review the past security assessments.

Question 157

Question 157

What is considered a compensating control for not having electrical surge protectors installed?
A. Having dual lines to network service providers built to the site.
B. Having backup diesel generators installed to the site.
C. Having a hot disaster recovery (DR) environment for the site.
D. Having network equipment in active-active clusters at the site.

Question 158

Question 158

Which type of access control includes a system that allows only users that are type=managers and department=sales to access employee records?
A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Attribute-based access control (ABAC)

Question 159

Question 159

A CISSP with IAM responsibilities is asked to perform a vulnerability assessment on a web app to pass a PCI audit but has never performed one before. What should the CISSP do?
A. Review CISSP guidelines for performing a vulnerability assessment before proceeding.
B. Review PCI requirements before performing the vulnerability assessment.
C. Inform the CISO they are unable to perform the task because they are not qualified.
D. Since they are CISSP certified, proceed with the assessment.

Question 160

Question 160

An authentication system that uses challenge-response was implemented, but testers moved laterally using authenticated credentials. Which attack method was MOST likely used?
A. Cross-Site Scripting (XSS)
B. Pass-the-ticket
C. Brute force
D. Hash collision