$0.00
ISC2 CISSP Dumps

ISC2 CISSP Exam Dumps

Certified Information Systems Security Professional (CISSP)

Total Questions : 1486
Update Date : November 10, 2024
PDF + Test Engine
$65 $95
Test Engine
$55 $85
PDF Only
$45 $75



Last Week CISSP Exam Results

178

Customers Passed ISC2 CISSP Exam

94%

Average Score In Real CISSP Exam

95%

Questions came from our CISSP dumps.



Choosing the Right Path for Your CISSP Exam Preparation

Welcome to PassExamHub's comprehensive study guide for the Certified Information Systems Security Professional (CISSP) exam. Our CISSP dumps is designed to equip you with the knowledge and resources you need to confidently prepare for and succeed in the CISSP certification exam.

What Our ISC2 CISSP Study Material Offers

PassExamHub's CISSP dumps PDF is carefully crafted to provide you with a comprehensive and effective learning experience. Our study material includes:

In-depth Content: Our study guide covers all the key concepts, topics, and skills you need to master for the CISSP exam. Each topic is explained in a clear and concise manner, making it easy to understand even the most complex concepts.
Online Test Engine: Test your knowledge and build your confidence with a wide range of practice questions that simulate the actual exam format. Our test engine cover every exam objective and provide detailed explanations for both correct and incorrect answers.
Exam Strategies: Get valuable insights into exam-taking strategies, time management, and how to approach different types of questions.
Real-world Scenarios: Gain practical insights into applying your knowledge in real-world scenarios, ensuring you're well-prepared to tackle challenges in your professional career.

Why Choose PassExamHub?

Expertise: Our CISSP exam questions answers are developed by experienced ISC2 certified professionals who have a deep understanding of the exam objectives and industry best practices.
Comprehensive Coverage: We leave no stone unturned in covering every topic and skill that could appear on the CISSP exam, ensuring you're fully prepared.
Engaging Learning: Our content is presented in a user-friendly and engaging format, making your study sessions enjoyable and effective.
Proven Success: Countless students have used our study materials to achieve their CISSP certifications and advance their careers.
Start Your Journey Today!

Embark on your journey to Certified Information Systems Security Professional (CISSP) success with PassExamHub. Our study material is your trusted companion in preparing for the CISSP exam and unlocking exciting career opportunities.


Related Exams


ISC2 CISSP Sample Question Answers

Question # 1

What protocol is often used between gateway hosts on the Internet’ To control the scope of a Business Continuity Management (BCM) system, a security practitioner should identify which of the following?

A. Size, nature, and complexity of the organization  
B. Business needs of the security organization  
C. All possible risks  
D. Adaptation model for future recovery planning  



Question # 2

The core component of Role Based Access control (RBAC) must be constructed of defined data elements. Which elements are required? 

A. Users, permissions, operators, and protected objects  
B. Users, rotes, operations, and protected objects  
C. Roles, accounts, permissions, and protected objects  
D. Roles, operations, accounts, and protected objects  



Question # 3

Which of the following access management procedures would minimize the possibility of an organization's employees retaining access to secure werk areas after they change roles? 

A. User access modification  
B. user access recertification  
C. User access termination  
D. User access provisioning  



Question # 4

What Is the FIRST step in establishing an information security program? 

A. Establish an information security policy.  
B. Identify factors affecting information security.  
C. Establish baseline security controls.  
D. Identify critical security infrastructure.  



Question # 5

During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?

A. Calculate the value of assets being accredited.  
B. Create a list to include in the Security Assessment and Authorization package.  
C. Identify obsolete hardware and software.  
D. Define the boundaries of the information system.  



Question # 6

In which identity management process is the subject’s identity established? 

A. Trust  
B. Provisioning  
C. Authorization  
D. Enrollment  



Question # 7

Although code using a specific program language may not be susceptible to a buffer overflow attack,

A. most calls to plug-in programs are susceptible.  
B. most supporting application code is susceptible.  
C. the graphical images used by the application could be susceptible.  
D. the supporting virtual machine could be susceptible.  



Question # 8

In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ?

A. Reduced risk to internal systems.  
B. Prepare the server for potential attacks.  
C. Mitigate the risk associated with the exposed server.  
D. Bypass the need for a firewall.  



Question # 9

What is a characteristic of Secure Socket Layer (SSL) and Transport Layer Security (TLS)?

A. SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP). 
B. SSL and TLS provide nonrepudiation by default.  
C. SSL and TLS do not provide security for most routed protocols.  
D. SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).  



Question # 10

Which of the following media sanitization techniques is MOST likely to be effective for an organization using public cloud services? 

A. Low-level formatting  
B. Secure-grade overwrite erasure  
C. Cryptographic erasure  
D. Drive degaussing  



Question # 11

Which of the following is the BEST example of weak management commitment to the protection of security assets and resources?

A. poor governance over security processes and procedures  
B. immature security controls and procedures  
C. variances against regulatory requirements  
D. unanticipated increases in security incidents and threats  



Question # 12

Which of the following is the PRIMARY concern when using an Internet browser to access a cloud-based service? 

A. Insecure implementation of Application Programming Interfaces (API)  
B. Improper use and storage of management keys  
C. Misconfiguration of infrastructure allowing for unauthorized access  
D. Vulnerabilities within protocols that can expose confidential data  



Question # 13

The amount of data that will be collected during an audit is PRIMARILY determined by the. 

A. audit scope.  
B. auditor's experience level.  
C. availability of the data.  
D. integrity of the data.  



Question # 14

The key benefits of a signed and encrypted e-mail include 

A. confidentiality, authentication, and authorization.  
B. confidentiality, non-repudiation, and authentication.  
C. non-repudiation, authorization, and authentication.  
D. non-repudiation, confidentiality, and authorization.  



Question # 15

An internal Service Level Agreement (SLA) covering security is signed by senior managers and is in place. When should compliance to the SLA be reviewed to ensure that a good security posture is being delivered? 

A. As part of the SLA renewal process  
B. Prior to a planned security audit  
C. Immediately after a security breach  
D. At regularly scheduled meetings  



Question # 16

Which one of the following effectively obscures network addresses from external exposure when implemented on a firewall or router?

A. Network Address Translation (NAT)  
B. Application Proxy  
C. Routing Information Protocol (RIP) Version 2  
D. Address Masking  



Question # 17

Which layer of the Open Systems Interconnections (OSI) model implementation adds information concerning the logical connection between the sender and receiver?

A. Physical  
B. Session  
C. Transport  
D. Data-Link  



Question # 18

Which of the following can BEST prevent security flaws occurring in outsourced software development? 

A. Contractual requirements for code quality  
B. Licensing, code ownership and intellectual property rights  
C. Certification of the quality and accuracy of the work done  
D. Delivery dates, change management control and budgetary control  



Question # 19

How should the retention period for an organization's social media content be defined? 

A. By the retention policies of each social media service  
B. By the records retention policy of the organization  
C. By the Chief Information Officer (CIO)  
D. By the amount of available storage space  



Question # 20

What is the PRIMARY purpose of auditing, as it relates to the security review cycle? 

A. To ensure the organization's controls and pokies are working as intended  
B. To ensure the organization can still be publicly traded  
C. To ensure the organization's executive team won't be sued  
D. To ensure the organization meets contractual requirements  



Question # 21

An application is used for funds transfer between an organization and a third-party. During a security audit, an issue with the business continuity/disaster recovery policy and procedures for this application. Which of the following reports should the audit file with the organization?

A. Service Organization Control (SOC) 1  
B. Statement on Auditing Standards (SAS) 70
C. Service Organization Control (SOC) 2  
D. Statement on Auditing Standards (SAS) 70-1  



Question # 22

The Industrial Control System (ICS) Computer Emergency Response Team (CERT) has released an alert regarding ICS-focused malware specifically propagating through Windows-based business networks. Technicians at a local water utility note that their dams, canals, and locks controlled by an internal Supervisory Control and Data Acquisition (SCADA) system have been malfunctioning. A digital forensics professional is consulted in the Incident Response (IR) and recovery. Which of the following is the MOST challenging aspect of this investigation?

A. SCADA network latency  
B. Group policy implementation  
C. Volatility of data  
D. Physical access to the system



Question # 23

Which of the following needs to be tested to achieve a Cat 6a certification for a company's data cabling?

A. RJ11  
B. LC ports  
C. Patch panel  
D. F-type connector  



Question # 24

Which access control method is based on users issuing access requests on system resources, features assigned to those resources, the operational or situational context, and a set of policies specified in terms of those features and context?

A. Mandatory Access Control (MAC)  
B. Role Based Access Control (RBAC)  
C. Discretionary Access Control (DAC)  
D. Attribute Based Access Control (ABAC)  



Question # 25

Which of the following are the B EST characteristics of security metrics? 

A. They are generalized and provide a broad overview  
B. They use acronyms and abbreviations to be concise  
C. They use bar charts and Venn diagrams  
D. They are consistently measured and quantitatively expressed  



Question # 26

Which reporting type requires a service organization to describe its system and define its control objectives and controls that are relevant to users' internal control over financial reporting?

A. Statement on Auditing Standards (SAS)70  
B. Service Organization Control 1 (SOC1)  
C. Service Organization Control 2 (SOC2)  
D. Service Organization Control 3 (SOC3)  



Question # 27

Which of the following is the PRIMARY purpose of installing a mantrap within a facility? 

A. Control traffic  
B. Prevent rapid movement  
C. Prevent plggybacking  
C. Prevent piggybacking  



Question # 28

A manager identified two conflicting sensitive user functions that were assigned to a single user account that had the potential to result in a financial and regulatory risk to the company. The manager MOST likely discovered this during which of the following?

A. Security control assessment.  
B. Separation of duties analysis  
C. Network Access Control (NAC) review  
D. Federated identity management (FIM) evaluation  



Question # 29

Which of the following system components enforces access controls on an object? 

A. Security perimeter  
B. Access control matrix  
C. Trusted domain  
D. Reference monitor  



Question # 30

Which of the following provides the MOST secure method for Network Access Control (NAC)?

A. Media Access Control (MAC) filtering  
B. 802.IX authentication  
C. Application layer filtering  
D. Network Address Translation (NAT)  



Question # 31

A software development company found odd behavior in some recently developed software, creating a need for a more thorough code review. What is the MOST effective argument for a more thorough code review?

A. It will increase the flexibility of the applications developed.  
B. It will increase accountability with the customers.  
C. It will impede the development process.  
D. lt will reduce the potential for vulnerabilities.  



Question # 32

How should the retention period for an organization's social media content be defined? 

A. Wireless Access Points (AP)  
B. Token-based authentication  
C. Host-based firewalls  
D. Trusted platforms  



Question # 33

When designing a new Voice over Internet Protocol (VoIP) network, an organization's top concern is preventing unauthorized users from accessing the VoIP network. Which of the following will BEST help secure the VoIP network?

A. Transport Layer Security (TLS)  
B. 802.1x  
C. 802.119  
D. Web application firewall (WAF)



Question # 34

Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used?

A. Mandatory Access Control (MAC) and Discretionary Access Control (DAC)  
B. Discretionary Access Control (DAC) and Access Control List (ACL)  
C. Role Based Access Control (RBAC) and Mandatory Access Control (MAC)  
D. Role Based Access Control (RBAC) and Access Control List (ACL)  



Question # 35

What is the PRIMARY purpose of creating and reporting metrics for a security awareness, training, and education program?

A. Make all stakeholders aware of the program's progress.  
B. Measure the effect of the program on the organization's workforce.  
C. Facilitate supervision of periodic training events.  
D. Comply with legal regulations and document due diligence in security practices.  



Question # 36

In a DevOps environment, which of the following actions is MOST necessary to have confidence in the quality of the changes being made?

A. Prepare to take corrective actions quickly.  
B. Receive approval from the change review board.  
C. Review logs for any anomalies.  
D. Automate functionality testing.



Question # 37

A Chief Information Officer (CIO) has delegated responsibility of their system security to the head of the information technology (IT) department. While corporate policy dictates that only the CIO can make decisions on the level of data protection required, technical implementation decisions are done by the head of the IT department. Which of the following BEST describes the security role filled by the head of the IT department?

A. System analyst  
B. System security officer  
C. System processor  
D. System custodian  



Question # 38

During a Disaster Recovery (DR) simulation, it is discovered that the shared recovery site lacks adequate data restoration capabilities to support the implementation of multiple plans simultaneously. What would be impacted by this fact if left unchanged?

A. Recovery Point Objective (RPO) 
B. Recovery Time Objective (RTO) 
C. Business Impact Analysis (BIA) 
D. Return on Investment (ROI) 



Question # 39

In a multi-tenant cloud environment, what approach will secure logical access to assets? 

A. Hybrid cloud  
B. Transparency/Auditability of administrative access  
C. Controlled configuration management (CM)  
D. Virtual private cloud (VPC)



Question # 40

A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology?

A. All developers receive mandatory targeted information security training.  
B. The non-financial information security requirements remain mandatory for the new model. 
C. The information security department performs an information security assessment after each sprint.
D. Information security requirements are captured in mandatory user stories.  



Question # 41

Which of the following is the BEST method to gather evidence from a computer's hard drive?

A. Disk duplication  
B. Disk replacement  
C. Forensic signature  
D. Forensic imaging  



Question # 42

What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program? 

A. Establish an ISCM technical architecture.  
B. Collect the security-related information required for metrics, assessments, and reporting.  
C. Establish an ISCM program determining metrics, status monitoring frequencies, and control assessment frequencies.  
D. Define an ISCM strategy based on risk tolerance.  



Question # 43

The security team is notified that a device on the network is infected with malware. Which of the following is MOST effective in enabling the device to be quickly located and remediated?

A. data loss protection (DLP)  
B. Intrusion detection  
C. Vulnerability scanner  
D. Information Technology Asset Management (ITAM)  



Question # 44

Which of the following BEST describes the objectives of the Business Impact Analysis (BIA)?

A. Identifying the events and environmental factors that can adversely affect an organization
B. Identifying what is important and critical based on disruptions that can affect the organization. 
C. Establishing the need for a Business Continuity Plan (BCP) based on threats that can affect an organization 
D. Preparing a program to create an organizational awareness for executing the Business Continuity Plan (BCP) 



Question # 45

Computer forensics requires which of the following MAIN steps? 

A. Announce the incident to responsible sections, analyze the data, assimilate the data for correlation
B. Take action to contain the damage, announce the incident to responsible sections, analyze the data 
C. Acquire the data without altering, authenticate the recovered data, analyze the data  
D. Access the data before destruction, assimilate the data for correlation, take action to contain the damage 



Question # 46

An attacker is able to remain indefinitely logged into a exploit to remain on the web service?

A. Alert management  
B. Password management  
C. Session management  
D. Identity management (IM)  



Question # 47

Which of the following would qualify as an exception to the "right to be forgotten" of the General Data Protection Regulation (GDPR)?

A. For the establishment, exercise, or defense of legal claims  
B. The personal data has been lawfully processed and collected  
C. The personal data remains necessary to the purpose for which it was collected  
D. For the reasons of private interest  



Question # 48

The initial security categorization should be done early in the system life cycle and should be reviewed periodically. Why is it important for this to be done correctly?

A. It determines the security requirements.
B. It affects other steps in the certification and accreditation process.  
C. It determines the functional and operational requirements.  
D. The system engineering process works with selected security controls.  



Question # 49

When defining a set of security controls to mitigate a risk, which of the following actions MUST occur?

A. Each control's effectiveness must be evaluated individually.  
B. Each control must completely mitigate the risk.  
C. The control set must adequately mitigate the risk.  
D. The control set must evenly divided the risk.  



Question # 50

When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles?

A. Service Organization Control (SOC) 1, Type 2  
B. Service Organization Control (SOC) 2, Type 2  
C. International Organization for Standardization (ISO) 27001  
D. International Organization for Standardization (ISO) 27002  



Question # 51

During a penetration test, what are the three PRIMARY objectives of the planning phase? 

A. Determine testing goals, identify rules of engagement and conduct an initial discovery scan. 
B. Finalize management approval, determine testing goals, and gather port and service information. 
C. Identify rules of engagement, finalize management approval, and determine testing goals. 
D. Identify rules of engagement, document management approval, and collect system and application information. 



Question # 52

What is the PRIMARY reason that a bit-level copy is more desirable than a file-level copy when replicating a hard drive's contents for an e-discovery investigation?

A. Files that have been deleted will be transferred.  
B. The file and directory structure is retained.  
C. File-level security settings will be preserved.  
D. The corruption of files is less likely.



Question # 53

An organization wants to migrate to Session Initiation Protocol (SIP) to save on telephony expenses. Which of the following security related statements should be considered in the decision-making process? 

A. Cloud telephony is less secure and more expensive than digital telephony services.  
B. SIP services are more secure when used with multi-layer security proxies.  
C. H.323 media gateways must be used to ensure end-to-end security tunnels.  
D. Given the behavior of SIP traffic, additional security controls would be required.  



Question # 54

When assessing the audit capability of an application, which of the following activities is MOST important?

A. Determine if audit records contain sufficient information.  
B. Review security plan for actions to be taken in the event of audit failure.  
C. Verify if sufficient storage is allocated for audit records.  
D. Identify procedures to investigate suspicious activity.  



Question # 55

Which of the following vulnerabilities can be BEST detected using automated analysis? 

A. Valid cross-site request forgery (CSRF) vulnerabilities  
B. Multi-step process attack vulnerabilities
C. Business logic flaw vulnerabilities  
D. Typical source code vulnerabilities  



Question # 56

In setting expectations when reviewing the results of a security test, which of the following statements is MOST important to convey to reviewers?

A. The target’s security posture cannot be further compromised.  
B. The results of the tests represent a point-in-time assessment of the target(s).  
C. The accuracy of testing results can be greatly improved if the target(s) are properly hardened. 
D. The deficiencies identified can be corrected immediately  



Question # 57

Who should perform the design review to uncover security design flaws as part of the Software Development Life Cycle (SDLC)?

A. The business owner  
B. security subject matter expert (SME)  
C. The application owner  
D. A developer subject matter expert (SME)



Question # 58

An organization is trying to secure instant messaging (IM) communications through its network perimeter. Which of the following is the MOST significant challenge?

A. IM clients can interoperate between multiple vendors.  
B. IM clients can run without administrator privileges.  
C. IM clients can utilize random port numbers.  
D. IM clients can run as executables that do not require installation.  



Question # 59

When designing a Cyber-Physical System (CPS), which of the following should be a security practitioner's first consideration?

A. Detection of sophisticated attackers  
B. Resiliency of the system  
C. Topology of the network used for the system  
D. Risk assessment of the system



Question # 60

Which of the following is fundamentally required to address potential security issues when initiating software development?

A. Implement ongoing security audits in all environments.  
B. Ensure isolation of development from production.  
C. Add information security objectives into development.  
D. Conduct independent source code review.



Question # 61

A project manager for a large software firm has acquired a government contract that generates large amounts of Controlled Unclassified Information (CUI). The organization's information security manager has received a request to transfer project-related CUI between systems of differing security classifications. What role provides the authoritative guidance for this transfer?

A. Information owner  
B. PM  
C. Data Custodian  
D. Mission/Business Owner  



Question # 62

What is the MOST appropriate hierarchy of documents when implementing a security program? 

A. Organization principle, policy, standard, guideline  
B. Policy, organization principle, standard, guideline  
C. Standard, policy, organization principle, guideline  
D. Organization principle, guideline, policy, standard  



Question # 63

employee training, risk management, and data handling procedures and policies could be characterized as which type of security measure?

A. Non-essential  
B. Management  
C. Preventative  
D. Administrative  



Question # 64

A network security engineer needs to ensure that a security solution analyzes traffic for protocol manipulation and various sorts of common attacks. In addition, all Uniform Resource Locator (URL) traffic must be inspected and users prevented from browsing inappropriate websites. Which of the following solutions should be implemented to enable administrators the capability to analyze traffic, blacklist external sites, and log user traffic for later analysis?

A. Intrusion detection system (IDS)  
B. Circuit-Level Proxy  
C. Application-Level Proxy  
D. Host-based Firewall  



Question # 65

An organization with divisions in the United States (US) and the United Kingdom (UK) processes data comprised of personal information belonging to subjects living in the European Union (EU) and in the US. Which data MUST be handled according to the privacy protections of General Data Protection Regulation (GDPR)?

A. Only the EU citizens’ data  
B. Only the EU residents' data  
C. Only the UK citizens’ data  
D. Only data processed in the UK



Question # 66

A company wants to store data related to users on an offsite server. What method can be deployed to protect the privacy of the user’s information while maintaining the field-level configuration of the database?

A. {Encryption  
B. Encoding  
C. Tokenization  
D. Hashing  



Question # 67

Which of the following determines how traffic should flow based on the status of the infrastructure layer?

A. Traffic plane  
B. Application plane  
C. Data plane  
D. Control plane  



Question # 68

Which of the following is security control volatility? 

A. A reference to the stability of the security control.  
B. A reference to how unpredictable the security control is.  
C. A reference to the impact of the security control.  
D. A reference to the likelihood of change in the security control.  



Question # 69

An organization has implemented a password complexity and an account lockout policy enforcing five incorrect logins tries within ten minutes. Network users have reported significantly increased account lockouts. Which of the following security principles is this company affecting?

A. Availability  
B. Integrity  
C. Confidentiality  
D. Authentication  



Question # 70

An organization implements Network Access Control (NAC) ay Institute of Electrical and Electronics Engineers (IEEE) 802.1x and discovers the printers do not support the IEEE 802.1x standard. Which of the following is the BEST resolution?

A. Implement port security on the switch ports for the printers.  
B. Implement a virtual local area network (VLAN) for the printers.  
C. Do nothing; IEEE 802.1x is irrelevant to printers.  
D. Install an IEEE 802. 1x bridge for the printers.  



Question # 71

An information security professional is reviewing user access controls on a customer-facing application. The application must have multi-factor authentication (MFA) in place. The application currently requires a username and password to log in. Which of the following options would BEST implement MFA?

A. Geolocate the user and compare to previous logins  
B. Require a pre-selected number as part of the login  
C. Have the user answer a secret question that is known to them  
D. Enter an automatically generated number from a hardware token  



Question # 72

Which of the following is a limitation of the Bell-LaPadula model? 

A. Segregation of duties (SoD) is difficult to implement as the "no read-up" rule limits the ability of an object to access information with a higher classification. 
B. Mandatory access control (MAC) is enforced at all levels making discretionary access control (DAC) impossible to implement. 
C. It contains no provision or policy for changing data access control and works well only with access systems that are static in nature. 
D. It prioritizes integrity over confidentiality which can lead to inadvertent information disclosure. 



Question # 73

What is the benefit of using Network Admission Control (NAC)? 

A. Operating system (OS) versions can be validated prior to allowing network access.  
B. NAC supports validation of the endpoint's security posture prior to allowing the session to go into an authorized state. 
C. NAC can require the use of certificates, passwords, or a combination of both before allowing network admission. 
D. NAC only supports Windows operating systems (OS).  



Question # 74

Which combination of cryptographic algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems?

A. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Rivest-Shamir-Adleman (RSA) (1024 bits)
B. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Digital Signature Algorithm (DSA) (>=2048 bits)
C. Diffie-hellman (DH) key exchange: DH (<= 1024 bits) Symmetric Key: Blowfish Digital Signature: Rivest-Shamir-Adleman (RSA) (>=2048 bits)
D. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) < 128 bits Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) (>=256 bits)



Question # 75

When designing a Cyber-Physical System (CPS), which of the following should be a security practitioner’s first consideration?

A. Resiliency of the system  
B. Detection of sophisticated attackers  
C. Risk assessment of the system  
D. Topology of the network used for the system  



Question # 76

Which of the following vulnerability assessment activities BEST exemplifies the Examine method of assessment?

A. Ensuring that system audit logs capture all relevant data fields required by the security controls baseline 
B. Performing Port Scans of selected network hosts to enumerate active services  
C. Asking the Information System Security Officer (ISSO) to describe the organization’s patch management processes 
D. Logging into a web server using the default administrator account and a default password 



Question # 77

Building blocks for software-defined networks (SDN) require which of the following? 

A. The SDN is mostly composed of virtual machines (VM).  
B. The SDN is composed entirely of client-server pairs.  
C. Virtual memory is used in preference to random-access memory (RAM).  
D. Random-access memory (RAM) is used in preference to virtual memory.  



Question # 78

Which of the following BEST describes why software assurance is critical in helping prevent an increase in business and mission risk for an organization? 

A. Software that does not perform as intended may be exploitable which makes it vulnerable to attack.
B. Request for proposals (RFP) avoid purchasing software that does not meet business needs. 
C. Contracting processes eliminate liability for security vulnerabilities for the purchaser.  
D. Decommissioning of old software reduces long-term costs related to technical debt.  



Question # 79

What is the FIRST step for an organization to take before allowing personnel to access social media from a corporate device or user account?

A. Publish a social media guidelines document.  
B. Publish an acceptable usage policy.  
C. Document a procedure for accessing social media sites.  
D. Deliver security awareness training.  



Question # 80

All hosts on the network are sending logs via syslog-ng to the log collector. The log collector is behind its own firewall, The security professional wants to make sure not to put extra load on the firewall due to the amount of traffic that is passing through it. Which of the following types of filtering would MOST likely be used?

A. Uniform Resource Locator (URL) Filtering  
B. Web Traffic Filtering  
C. Dynamic Packet Filtering  
D. Static Packet Filtering  



Question # 81

When designing a business continuity plan (BCP), what is the formula to determine the Maximum Tolerable Downtime (MTD)?

A. Annual Loss Expectancy (ALE) + Work Recovery Time (WRT)  
B. Business impact analysis (BIA) + Recovery Point Objective (RPO)  
C. Recovery Time Objective (RTO) + Work Recovery Time (WRT)  
D. Estimated Maximum Loss (EML) + Recovery Time Objective (RTO)  



Question # 82

Which of the following will an organization's network vulnerability testing process BEST enhance?

A. Firewall log review processes  
B. Asset management procedures  
C. Server hardening processes  
D. Code review procedures  



Question # 83

What are the three key benefits that application developers should derive from the northbound application programming interface (API) of software-defined networking (SDN)?

A. Familiar syntax, abstraction of network topology, and definition of network protocols  
B. Network syntax, abstraction of network flow, and abstraction of network protocols  
C. Network syntax, abstraction of network commands, and abstraction of network protocols  
D. Familiar syntax, abstraction of network topology, and abstraction of network protocols  



Question # 84

An organization wants to share data securely with their partners via the Internet. Which standard port is typically used to meet this requirement?

A. Setup a server on User Datagram Protocol (UDP) port 69  
B. Setup a server on Transmission Control Protocol (TCP) port 21  
C. Setup a server on Transmission Control Protocol (TCP) port 22  
D. Setup a server on Transmission Control Protocol (TCP) port 80  



Question # 85

A criminal organization is planning an attack on a government network. Which of the following scenarios presents the HIGHEST risk to the organization?

A. Network is flooded with communication traffic by the attacker.  
B. Organization loses control of their network devices.  
C. Network management communications is disrupted.  
D. Attacker accesses sensitive information regarding the network topology.  



Question # 86

Which media sanitization methods should be used for data with a high security categorization?

A. Clear or destroy  
B. Clear or purge  
C. Destroy or delete  
D. Purge or destroy  



Question # 87

What is the PRIMARY benefit of relying on Security Content Automation Protocol (SCAP)? 

A. Save security costs for the organization.  
B. Improve vulnerability assessment capabilities.  
C. Standardize specifications between software security products.  
D. Achieve organizational compliance with international standards.  



Question # 88

Of the following, which BEST provides non- repudiation with regards to access to a server room?

A. Fob and Personal Identification Number (PIN)  
B. Locked and secured cages  
C. Biometric readers  
D. Proximity readers  



Question # 89

Which of the fallowing statements is MOST accurate regarding information assets? 

A. International Organization for Standardization (ISO) 27001 compliance specifies which information assets must be included in asset inventory.
B. S3 Information assets include any information that is valuable to the organization,  
C. Building an information assets register is a resource-intensive job.  
D. Information assets inventory is not required for risk assessment.  



Question # 90

Which of the following security tools will ensure authorized data is sent to the application when implementing a cloud based application?

A. Host-based intrusion prevention system (HIPS)  
B. Access control list (ACL)  
C. File integrity monitoring (FIM)  
D. Data loss prevention (DLP)



Question # 91

Which of the following would be the BEST mitigation practice for man-in-the-middle (MITM) Voice over Internet Protocol (VoIP) attacks?

A. Use Media Gateway Control Protocol (MGCP)  
B. Use Transport Layer Security (TLS) protocol
C. Use File Transfer Protocol (FTP)  
D. Use Secure Shell (SSH) protocol



Question # 92

Write Once, Read Many (WORM) data storage devices are designed to BEST support which of the following core security concepts?

A. lntegrity  
B. Scalability  
C. Availability  
D. Confidentiality  



Question # 93

Which of the following types of web-based attack is happening when an attacker is able to send a well-crafted, malicious request to an authenticated user without the user realizing it?

A. ross-Site Scripting (XSS)  
B. Cross-Site request forgery (CSRF)  
C. Cross injection  
D. Broken Authentication And Session Management  



Question # 94

Which of the following is the PRIMARY type of cryptography required to support nonrepudiation of a digitally signed document?

A. Message digest (MD)  
B. Asymmetric  
C. Symmetric  
D. Hashing  



Question # 95

Which of the following is the MOST important first step in preparing for a security audit? 

A. Identify team members.  
B. Define the scope.  
C. Notify system administrators.  
D. Collect evidence.  



Question # 96

In which of the following scenarios is locking server cabinets and limiting access to keys preferable to locking the server room to prevent unauthorized access?

A. Server cabinets are located in an unshared workspace.  
B. Server cabinets are located in an isolated server farm.  
C. Server hardware is located in a remote area.  
D. Server cabinets share workspace with multiple projects.  



Question # 97

Information Security Continuous Monitoring (1SCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Which of the following is the FIRST step in developing an ISCM strategy and implementing an ISCM program?

A. Define a strategy based on risk tolerance that maintains clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.
B. Conduct a vulnerability assessment to discover current threats against the environment and incorporate them into the program.
C. Respond to findings with technical management, and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection. 
D. Analyze the data collected and report findings, determining the appropriate response. It may be necessary to collect additional information to clarify or supplement existing monitoring data. 



Question # 98

The Rivest-Shamir-Adleman (RSA) algorithm is BEST suited for which of the following operations?

A. Bulk data encryption and decryption  
B. One-way secure hashing for user and message authentication  
C. Secure key exchange for symmetric cryptography  
D. Creating digital checksums for message integrity  



Question # 99

Which security feature fully encrypts code and data as it passes to the servers and only decrypts below the hypervisor layer?

A. File-system level encryption  
B. Transport Layer Security (TLS)  
C. Key management service  
D. Trusted execution environments



Question # 100

Which of the following BEST describes the use of network architecture in reducing corporate risks associated with mobile devices?

A. Maintaining a "closed applications model on all mobile devices depends on demilitarized 2one (DM2) servers 
B. Split tunneling enabled for mobile devices improves demilitarized zone (DMZ) security posture
C. Segmentation and demilitarized zone (DMZ) monitoring are implemented to secure a virtual private network (VPN) access for mobile devices
D. Applications that manage mobile devices are located in an Internet demilitarized zone (DMZ) 



Question # 101

Which section of the assessment report addresses separate vulnerabilities, weaknesses, and gaps? 

A. Key findings section  
B. Executive summary with full details  
C. Risk review section  
D. Findings definition section



Question # 102

What is the BEST method to use for assessing the security impact of acquired software? 

A. Common vulnerability review  
B. Software security compliance validation
C. Threat modeling  
D. Vendor assessment  



Question # 103

What is the correct order of execution for security architecture? 

A. Governance, strategy and program management, project delivery, operations  
B. Strategy and program management, governance, project delivery, operations  
C. Governance, strategy and program management, operations, project delivery  
D. Strategy and program management, project delivery, governance, operations  



Question # 104

A cloud service accepts Security Assertion Markup Language (SAML) assertions from users to on and security However, an attacker was able to spoof a registered account on the network and query the SAML provider. What is the MOST common attack leverage against this flaw? 

A. Attacker forges requests to authenticate as a different user.  
B. Attacker leverages SAML assertion to register an account on the security domain.  
C. Attacker conducts denial-of-service (DoS) against the security domain by authenticating as the same user repeatedly.
D. Attacker exchanges authentication and authorization data between security domains.  



Question # 105

Network Access Control (NAC) capability BEST meets this objective? 

A. Application firewall  
B. Port security  
C. Strong passwords  
D. Two-factor authentication (2FA)



Question # 106

Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?

A. Employee evaluation of the training program  
B. Internal assessment of the training program's effectiveness  
C. Multiple choice tests to participants  
D. Management control of reviews



Question # 107

Two computers, each with a single connection on the same physical 10 gigabit Ethernet network segment, need to communicate with each other. The first machine has a single Internet Protocol (IP) Classless Inter-Domain Routing (CIDR) address of 192.168.1.3/30 and the second machine has an IP/CIDR address 192.168.1.6/30. Which of the following is correct?

A. Since each computer is on a different layer 3 networks, traffic between the computers must be processed by a network bridge in order to communicate. 
B. Since each computer is on the same layer 3 networks, traffic between the computers may be processed by a network bridge in order to communicate. 
C. Since each computer is on the same layer 3 networks, traffic between the computers may be processed by a network router in order to communicate. 
D. Since each computer is on a different layer 3 networks, traffic between the computers must be processed by a network router in order to communicate. 



Question # 108

The customer continues to experience attacks on their email, web, and File Transfer Protocol (FTP) servers. These attacks are impacting their business operations. Which of the following is the BEST recommendation to make?

A. Configure an intrusion detection system (IDS).  
B. Create a demilitarized zone (DMZ).  
C. Deploy a bastion host.  
D. Setup a network firewall.  



Question # 109

When testing password strength, which of the following is the BEST method for brute forcing passwords?

A. Conduct an offline attack on the hashed password information.  
B. Conduct an online password attack until the account being used is locked.  
C. Use a comprehensive list of words to attempt to guess the password.  
D. Use social engineering methods to attempt to obtain the password.  



Question # 110

A hospital’s building controls system monitors and operates the environmental equipment to maintain a safe and comfortable environment. Which of the following could be used to minimize the risk of utility supply interruption?

A. Digital devices that can turn equipment off and continuously cycle rapidly in order to increase supplies and conceal activity on the hospital network 
B. Standardized building controls system software with high connectivity to hospital networks 
C. Lock out maintenance personnel from the building controls system access that can impact critical utility supplies
D. Digital protection and control devices capable of minimizing the adverse impact to critical utility 



Question # 111

During an internal audit of an organizational Information Security Management System (ISMS), nonconformities are identified. In which of the following management stages are nonconformities reviewed, assessed and/or corrected by the organization?

A. Planning  
B. Operation  
C. Assessment  
D. Improvement  



Question # 112

Which of the following is established to collect information Se eee ee ee nation readily available in part through implemented security controls?

A. Security Assessment Report (SAR)  
B. Organizational risk tolerance  
C. Information Security Continuous Monitoring (ISCM)  
D. Risk assessment report  



Question # 113

Two remote offices need to be connected securely over an untrustworthy MAN. Each office needs to access network shares at the other site. Which of the following will BEST provide this functionality?

A. Client-to-site VPN  
B. Third-party VPN service  
C. Site-to-site VPN  
D. Split-tunnel VPN  



Question # 114

An organization has discovered that organizational data is posted by employees to data storage accessible to the general public. What is the PRIMARY step an organization must take to ensure data is properly protected from public release? 

A. Implement a data classification policy.
B. Implement a data encryption policy.  
C. Implement a user training policy.  
D. Implement a user reporting policy.  



Question # 115

Which of the following is the FIRST step during digital identity provisioning? 

A. Authorizing the entity for resource access  
B. Synchronizing directories  
C. Issuing an initial random password  
D. Creating the entity record with the correct attributes  



Question # 116

Which of the following is the BEST way to protect an organization's data assets? 

A. Monitor and enforce adherence to security policies.  
B. Encrypt data in transit and at rest using up-to-date cryptographic algorithms.  
C. Create the Demilitarized Zone (DMZ) with proxies, firewalls, and hardened bastion hosts.  
D. Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD).  



Question # 117

What is the FINAL step in the waterfall method for contingency planning? 

A. Maintenance  
B. Testing  
C. Implementation  
D. Training  



Question # 118

Which of the following is an open standard for exchanging authentication and authorization data between parties?

A. Wired markup language  
B. Hypertext Markup Language (HTML)  
C. Extensible Markup Language (XML)  
D. Security Assertion Markup Language (SAML)



Question # 119

Which of the following is the BEST method to identify security controls that should be implemented for a web-based application while in development?

A. Application threat modeling  
B. Secure software development.  
C. Agile software development  
D. Penetration testing  



Question # 120

Which of the following BEST describes the purpose of Border Gateway Protocol (BGP)? 

A. Maintain a list of network paths between internet routers.  
B. Provide Routing Information Protocol (RIP) version 2 advertisements to neighboring layer 3 devices. 
C. Provide firewall services to cloud-enabled applications.  
D. Maintain a list of efficient network paths between autonomous systems.  



Question # 121

Configuring a Wireless Access Point (WAP) with the same Service Set Identifier (SSID) as another WAP in order to have users unknowingly connect is referred to as which of the following?

A. Jamming  
B. Man-right-Middle (MITM)  
C. War driving  
D. Internet Protocol (IP) spoofing



Question # 122

A company hired an external vendor to perform a penetration test ofa new payroll system. The company’s internal test team had already performed an in-depth application and security test of the system and determined that it met security requirements. However, the external vendor uncovered significant security weaknesses where sensitive personal data was being sent unencrypted to the tax processing systems. What is the MOST likely cause of the security issues?

A. Failure to perform interface testing  
B. Failure to perform negative testing  
C. Inadequate performance testing  
D. Inadequate application level testing  



Question # 123

What BEST describes the confidentiality, integrity, availability triad? 

A. A tool used to assist in understanding how to protect the organization's data  
B. The three-step approach to determine the risk level of an organization  
C. The implementation of security systems to protect the organization's data  
D. A vulnerability assessment to see how well the organization's data is protected  



Question # 124

Which of the following minimizes damage to information technology (IT) equipment stored in a data center when a false fire alarm event occurs?

A. A pre-action system is installed.  
B. An open system is installed.  
C. A dry system is installed.  
D. A wet system is installed.



Question # 125

Which of the following BEST ensures the integrity of transactions to intended recipients? 

A. Public key infrastructure (PKI)  
B. Blockchain technology  
C. Pre-shared key (PSK)  
D. Web of trust  



Question # 126

An organization has determined that its previous waterfall approach to software development is not keeping pace with business demands. To adapt to the rapid changes required for product delivery, the organization has decided to move towards an Agile software development and release cycle. In order to ensure the success of the Agile methodology, who is MOST critical in creating acceptance tests or acceptance criteria for each release?

A. Project managers  
B. Software developers  
C. Independent testers  
D. Business customers  



Question # 127

What documentation is produced FIRST when performing an effective physical loss control process?

A. Deterrent controls list  
B. Security standards list  
C. inventory list  
D. Asset valuation list  



Question # 128

A security professional should ensure that clients support which secondary algorithm for digital signatures when a Secure Multipurpose Internet Mail Extension (S/MIME) is used?

A. Triple Data Encryption Standard (3DES)
B. Advanced Encryption Standard (AES)  
C. Digital Signature Algorithm (DSA)  
D. Rivest-Shamir-Adieman (RSA)



Question # 129

Which of the (ISC)? Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?

A. Act honorably, honestly, justly, responsibly, and legally.  
B. Protect society, the commonwealth, and the infrastructure.  
C. Provide diligent and competent service to principles.  
D. Advance and protect the profession.  



Question # 130

An organization is implementing data encryption using symmetric ciphers and the Chief Information Officer (CIO) is concerned about the risk of using one key to protect all sensitive data, The security practitioner has been tasked with recommending a solution to address the CIO's concerns, Which of the following is the BEST approach to achieving the objective by encrypting all sensitive data? 

A. Use a Secure Hash Algorithm 256 (SHA-256).  
B. Use a hierarchy of encryption keys.  
C. Use Hash Message Authentication Code (HMAC) keys.  
D. Use Rivest-Shamir-Adleman (RSA) keys.  



Question # 131

Which of the following are the three MAIN categories of security controls? 

A. Administrative, technical, physical  
B. Corrective, detective, recovery  
C. Confidentiality, integrity, availability
D. Preventative, corrective, detective  



Question # 132

Which of the following is the FIRST requirement a data owner should consider before implementing a data retention policy?

A. Training  
B. Legal  
C. Business  
D. Storage  



Question # 133

Compared to a traditional network, which of the following is a security-related benefit that software-defined networking (SDN) provides?

A. Centralized network provisioning  
B. Centralized network administrator control
C. Reduced network latency when scaled  
D. Reduced hardware footprint and cost  



Question # 134

A software developer installs a game on their organization-provided smartphone. Upon installing the game, the software developer is prompted to allow the game access to call logs, Short Message Service (SMS) messaging, and Global Positioning System (GPS) location data. What has the game MOST likely introduced to the smartphone?

A. Alerting  
B. Vulnerability  
C. Geo-fencing  
D. Monitoring  



Question # 135

In Federated Identity Management (FIM), which of the following represents the concept of federation?

A. Collection of information logically grouped into a single entity  
B. Collection, maintenance, and deactivation of user objects and attributes in one or more systems, directories or applications
C. Collection of information for common identities in a system  
D. Collection of domains that have established trust among themselves  



Question # 136

What is the second phase of public key infrastructure (PKI) key/certificate life-cycle management? 

A. Implementation Phase  
B. Cancellation Phase  
C. Initialization Phase  
D. Issued Phase  



Question # 137

A security professional has been requested by the Board of Directors and Chief Information Security Officer (CISO) to perform an internal and external penetration test. What is the BEST course of action?

A. Review data localization requirements and regulations.  
B. Review corporate security policies and procedures,  
C. With notice to the Configuring a Wireless Access Point (WAP) with the same Service Set Identifier external test.  
D. With notice to the organization, perform an external penetration test first, then an internal test.  



Question # 138

Which of the following is an important design feature for the outer door o f a mantrap? 

A. Allow it to be opened by an alarmed emergency button.  
B. Do not allow anyone to enter it alone.  
C. Do not allow it to be observed by dosed-circuit television (CCTV) cameras.  
D. Allow it be opened when the inner door of the mantrap is also open  



Question # 139

The security architect has been mandated to assess the security of various brands of mobile devices. At what phase of the product lifecycle would this be MOST likely to occur?

A. Disposal  
B. Implementation  
C. Development  
D. Operations and maintenance  



Question # 140

How is Remote Authentication Dial-In User Service (RADIUS) authentication accomplished?

A. It uses clear text and firewall rules.
B. It relies on Virtual Private Networks (VPN).  
C. It uses clear text and shared secret keys.  
D. It relies on asymmetric encryption keys.



Question # 141

The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the BEST solution to securely store the private keys?

A. Physically secured storage device  
B. Encrypted flash drive  
C. Public key infrastructure (PKI)  
D. Trusted Platform Module (TPM)



Question # 142

Which type of access control includes a system that allows only users that are type=managers and department=sales to access employee records? 

A. Discretionary access control (DAC)  
B. Mandatory access control (MAC)  
C. Role-based access control (RBAC)  
D. Attribute-based access control (ABAC)  



Question # 143

Which of the following is the PRIMARY goal of logical access controls? 

A. Restrict access to an information asset.  
B. Ensure integrity of an information asset.
C. Restrict physical access to an information asset.  
D. Ensure availability of an information asset.  



Question # 144

A security professional was tasked with rebuilding a company's wireless infrastructure.Which of the following are the MOST important factors to consider while making a decision on which wireless spectrum to deploy? 

A. Hybrid frequency band, service set identifier (SSID), and interpolation
B. Performance, geographic location, and radio signal interference
C. Facility size, intermodulation, and direct satellite service
D. Existing client devices, manufacturer reputation, and electrical interference



Question # 145

In an IDEAL encryption system, who has sole access to the decryption key? 

A. System owner
B. Data owner
C. Data custodian
D. System administrator



Question # 146

Which of the following criteria ensures information is protected relative to its importance to the organization?

A. The value of the data to the organization's senior management  
B. Legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification 
C. Legal requirements determined by the organization headquarters' location  
D. Organizational stakeholders, with classification approved by the management board  



Question # 147

Which of the following Disaster recovery (DR) testing processes is LEAST likely to disrupt normal business operations?

A. Parallel
B. Simulation
C. Table-top
D. Cut-over



Question # 148

Before allowing a web application into the production environment, the security practitioner performs multiple types of tests to confirm that the web application performs as expected. To test the username field, the security practitioner creates a test that enters more characters into the field than is allowed. Which of the following BEST describes the type of test performed? 

A. Misuse case testing  
B. Penetration testing  
C. Web session testing  
D. Interface testing  



Question # 149

The Chief Information Officer (CIO) has decided that as part of business modernizationefforts the organization will move towards a cloud architecture. All business-critical data willbe migrated to either internal or external cloud services within the next two years. The CIOhas a PRIMARY obligation to work with personnel in which role inorder to ensure proper protection of data during and after the cloud migration?

A. Information owner
B. General Counsel
C. Chief Information Security Officer (CISO)
D. Chief Security Officer (CSO)