CISSP – Practice Test Questions – 2024 – Set 17 (53 Questions)

Maximize your chances of CISSP exam success with this series of practice tests offering a comprehensive coverage of information security topics. From identity and access management to security risk management, each article provides valuable insights and challenges to help you prepare effectively.

1. Which of the following is a common method to ensure “data authenticity” in software applications?

A. Data compression
B. Data encryption
C. Digital signatures
D. Data replication

Correct Answer: C

2. What is the primary goal of “security information and event management (SIEM)” systems in software security?

A. To manage user permissions and roles
B. To provide real-time analysis of security alerts generated by applications and network hardware
C. To back up and restore software data
D. To manage software updates and patches

Correct Answer: B

3. In the context of software security, which of the following best describes “threat modeling”?

A. The process of designing user-friendly interfaces
B. The process of predicting software performance under various conditions
C. The systematic identification and evaluation of potential threats to the software
D. The process of simulating user interactions with software

Correct Answer: C

4. Which of the following is a primary concern when considering “secure software design”?

A. Ensuring the software has the latest features
B. Ensuring the software’s user interface is visually appealing
C. Ensuring the software architecture is designed with security principles in mind
D. Ensuring the software is compatible with all devices

Correct Answer: C

5. What is the main goal of “application allowlisting” in the context of software security?

A. To create a list of users authorized to access the application
B. To specify which applications are allowed to run on a system
C. To identify and block malicious applications
D. To optimize the performance of authorized applications

Correct Answer: B

6. In software security, which of the following best describes “security misconfiguration”?

A. A situation where security settings are left at their default values
B. A situation where security software is not updated regularly
C. A situation where security protocols are overly complex
D. A situation where security measures are redundant

Correct Answer: A

7. Which of the following is NOT a primary component of “incident response” in software security?

A. Identification of the incident
B. Containment of the incident
C. Resolution of the software bug
D. Recovery and lessons learned

Correct Answer: C

8. What is the primary purpose of “security audits” in software security?

A. To identify and fix performance issues in the software
B. To verify that the software meets user requirements
C. To assess and ensure the software adheres to security standards and policies
D. To introduce new features to the software

Correct Answer: C

9. In the context of software security, what does “patch management” refer to?

A. The process of designing user interfaces
B. The process of regularly updating and managing patches for software vulnerabilities
C. The process of managing user feedback and reviews
D. The process of optimizing software code

Correct Answer: B

10. Which of the following best describes “man-in-the-middle (MITM)” attacks in software security?

A. Attacks where the attacker directly communicates with the victim
B. Attacks where the attacker intercepts and possibly alters the communication between two parties
C. Attacks where the attacker impersonates a software application
D. Attacks where the attacker floods a system with traffic

Correct Answer: B

11. What is the primary goal of “multifactor authentication (MFA)” in software security?

A. To provide multiple layers of encryption
B. To verify user identity using multiple methods or factors
C. To allow multiple users to access the same account
D. To optimize the user login process

Correct Answer: B

12. In the context of software security, which of the following best describes “risk assessment”?

A. The process of designing secure software architectures
B. The process of evaluating the potential risks associated with software vulnerabilities
C. The process of training users on software features
D. The process of updating software to the latest version

Correct Answer: B

13. What service can integrate an app with a social media site that provides software libraries and tools?

A. Software Development Kit (SDK)
B. Data Loss Prevention (DLP)
C. Integrated Development Environment (IDE)
D. Application Programming Interface (API)

Correct Answer: A

14. Which role in data classification is primarily responsible for the technical custody of systems and databases?

A. Data owner/controller
B. Data processor
C. Data custodian
D. Data steward

Correct Answer: C

15. Which method provides complete confidentiality and anonymity through the use of multiple layers of encryption, making it very difficult to determine the sender and receiver while data is in transit?

A. End-to-end encryption
B. Link encryption
C. Onion network
D. Homomorphic encryption

Correct Answer: C

16. In which context does data loss prevention (DLP) focus on detecting and preventing data breaches and potential data exfiltration?

A. Data in use
B. Data in motion
C. Data at rest
D. All of the above

Correct Answer: D

17. Which of the following best describes the primary difference between “labeling” and “marking” in the context of asset classification?

A. Labeling refers to the classification of the asset and is system readable, while marking refers to the handling instructions of the asset and is human readable.
B. Labeling is a manual process, while marking is automated.
C. Labeling is used for tangible assets, while marking is used for intangible assets.
D. Labeling is a temporary classification, while marking is permanent.

Correct Answer: A

18. Which obfuscation method involves creating fake data to replace real or sensitive data?

A. Concealing data
B. Information pruning
C. Fabricating data
D. Trimming data

Correct Answer: C

19. Which state of data refers to data that is currently being used in some type of computational activity?

A. Data at rest
B. Data in transit
C. Data in use
D. Data in archive

Correct Answer: C

20. In the context of access control, which principle emphasizes that access should be granted only to those personnel who absolutely require it to perform their job functions?

A. Separation of duties
B. Need to know
C. Least privilege
D. Rule-based access control

Correct Answer: B

21. Which metric is used to measure the overall accuracy of a biometric system, representing the intersection between Type 1 (false reject) and Type 2 (false acceptance) errors?

A. Error acceptance rate
B. Biometric verification rate
C. Crossover error rate
D. Biometric failure rate

Correct Answer: C

22. Which federated access protocol is frequently used in Federated Identity Management (FIM) solutions, providing both authentication and authorization, and has assertions written in XML?

A. OAuth
B. OpenID
C. Kerberos
D. SAML

Correct Answer: D

23. Which Single Sign-On (SSO) mechanism utilizes tickets and symmetric key cryptography to authenticate users to multiple services without requiring them to reenter their credentials?

A. OAuth 2.0
B. SAML
C. Kerberos
D. OpenID Connect

Correct Answer: C

24. In which access control model are access decisions based on the user’s role within the organization, and users are granted permissions based on their assigned roles?

A. Discretionary access control (DAC)
B. Role-based access control (RBAC)
C. Mandatory access control (MAC)
D. Attribute-based access control (ABAC)

Correct Answer: B

25. Which password policy aims to prevent attackers from using previously used passwords by maintaining a history of the user’s passwords?

A. Password complexity
B. Password length
C. Password history
D. Password age

Correct Answer: C

26. Which of the following statements best describes the “Zero Trust” design principle in the context of security architecture and engineering?

A. Systems should automatically trust all internal entities.
B. Systems should trust entities only after they have been authenticated and authorized.
C. Systems should trust entities based on their historical behavior.
D. Systems should trust all external entities but verify their actions continuously.

Correct Answer: B

27. Which security model is primarily focused on preventing conflicts of interest between different departments or entities within an organization?

A. Bell-LaPadula
B. Biba
C. Brewer-Nash (the Chinese Wall)
D. Clark-Wilson

Correct Answer: C

28. Which of the following is NOT a component of the trusted computing base (TCB)?

A. Operating systems
B. Firewall rulesets
C. Firmware
D. Processors (CPUs)

Correct Answer: B

29. Which of the following cryptographic mechanisms is primarily designed to provide data integrity without confidentiality?

A. Symmetric encryption
B. Asymmetric encryption
C. Digital signatures
D. Stream ciphers

Correct Answer: C

30. The Common Criteria (CC) for Information Technology Security Evaluation provides a framework for evaluating the security properties of IT products. Which of the following is NOT a component of the Common Criteria?

A. Protection Profiles (PP)
B. Security Target (ST)
C. Evaluation Assurance Levels (EAL)
D. Trusted Platform Module (TPM)

Correct Answer: D

31. In the context of system security architecture, which of the following best describes a “reference monitor”?

A. A tool for monitoring network traffic in real time
B. A conceptual piece of the system that mediates all access to objects by subjects
C. A database that stores reference architectures for various systems
D. A module that references all security patches applied to a system

Correct Answer: B

32. A cybersecurity professional is faced with a situation where they discover a vulnerability in a system that is not under their purview. Which of the following actions aligns best with the ISC2 Code of Professional Ethics?

A. Exploit the vulnerability to demonstrate its severity to management.
B. Ignore the vulnerability since it’s not within their assigned tasks.
C. Report the vulnerability to the appropriate team or authority within the organization.
D. Share the vulnerability on a public forum to raise awareness.

Correct Answer: C

33. Which of the following best describes the primary purpose of the CIA triad in information security?

A. To define the roles and responsibilities of security personnel
B. To provide a model for designing, structuring, and implementing security functions
C. To outline the legal and regulatory requirements for data protection
D. To establish guidelines for ethical behavior in cybersecurity

Correct Answer: B

34. In the context of risk management, what does the term “threat” specifically refer to?

A. A weakness in an asset that could be exploited
B. Any potential danger that can cause damage to an asset
C. The entity that has the potential to cause damage to an asset
D. The negative consequences to an asset if a risk is realized

Correct Answer: B

35. Which of the following best describes the primary role of security governance within an organization?

A. Implementing specific security controls and technologies
B. Establishing a strategic framework for risk-based decision-making
C. Conducting day-to-day security operations and incident response
D. Ensuring compliance with external regulatory requirements

Correct Answer: B

36. An organization is trying to determine the potential loss from a specific threat. They estimate the annual rate of occurrence (ARO) as 5 and the single loss expectancy (SLE) as $10,000. What is the annualized loss expectancy (ALE)?

A. $2000
B. $50,000
C. $15,000
D. $5000

Correct Answer: B

37. Which of the following is NOT typically a standard data classification level in most organizations?

A. Confidential
B. Public
C. Restricted
D. Casual

Correct Answer: D

38. Your organization has recently experienced a security breach. The incident response team has been activated and is in the process of assessing the impact of the breach. Which of the following steps should the incident response team prioritize NEXT?

A. Remediation to prevent similar incidents in the future
B. Reporting the incident to all relevant stakeholders
C. Mitigation to contain and minimize the damage or impact from the incident
D. Recovery to restore operations to normal

Correct Answer: C

39. During a forensic investigation, two identical bit-for-bit copies of the original hard drive are created. What is the primary reason for creating these copies?

A. To have a backup in case one copy becomes corrupted
B. To compare the two copies for inconsistencies
C. To ensure that the original evidence remains uncontaminated
D. To distribute one copy to law enforcement and retain the other for internal investigations

Correct Answer: C

40. Which of the following is NOT a capability of a security information and event management (SIEM) system?

A. Aggregation of log data from multiple sources
B. Normalization of log entries for consistent analysis
C. Real-time prevention of security breaches
D. Reporting on analyzed and correlated log entries

Correct Answer: C

41. A security audit of your organization’s data center revealed that there are potential vulnerabilities related to physical access. Which of the following measures would be MOST effective in preventing unauthorized physical access?

A. Implementing biometric authentication at all entry points
B. Distributing security awareness brochures to all employees
C. Increasing the frequency of password changes for data center systems
D. Regularly updating the antivirus software on data center servers

Correct Answer: A

42. Your organization is considering deploying an IDPS solution. Which of the following is a primary advantage of using an intrusion prevention system (IPS) over an intrusion detection system (IDS)?

A. IPS can detect potential threats in real time.
B. IPS can take active measures to block or prevent malicious activity.
C. IPS provides detailed logs and reports for forensic analysis.
D. IPS requires less maintenance and updates than IDS.

Correct Answer: B

43. Which of the following is the PRIMARY objective of a business impact analysis (BIA) in the context of disaster recovery planning?

A. To identify the organization’s vulnerabilities and threats
B. To determine the financial implications of a potential disaster
C. To prioritize the recovery of systems based on their criticality to business operations
D. To ensure compliance with industry regulations and standards

Correct Answer: C

44. In the context of software development, what is the primary purpose of address space layout randomization (ASLR)?

A. To randomize the locations where system executables are loaded into memory
B. To ensure that software is developed using a waterfall model
C. To provide a structured approach for measuring organizational processes
D. To facilitate communication between different software applications

Correct Answer: A

45. Which of the following best describes the Software Assurance Maturity Model (SAMM) as presented by OWASP?

A. A model focused solely on the development phase of software
B. A model that is technology specific and follows a rigid structure
C. A model that provides a way to analyze and improve software security posture throughout the software life cycle
D. A model that emphasizes the importance of code obfuscation in software development

Correct Answer: C

46. In the realm of software development, what does the term “polyinstantiation” refer to?

A. The ability of code to change its behavior to avoid detection
B. The process of hiding or obscuring code to protect it from unauthorized viewing
C. The instantiation of something into multiple separate or independent instances
D. The practice of dividing the development process into multiple rapid iterations

Correct Answer: C

47. Which of the following best describes the primary difference between a static library and a dynamic library in software development?

A. A static library is accessed during program execution, while a dynamic library is accessed during program build.
B. A static library is always larger in size compared to a dynamic library.
C. A static library is accessed during program build, while a dynamic library is accessed during program execution.
D. A static library can be modified by the end user, while a dynamic library cannot.

Correct Answer: C

48. In the context of software development methodologies, which approach divides the development process into multiple rapid iterations with heavy customer interaction throughout the process?

A. Waterfall
B. Spiral Method
C. Agile
D. Structured Programming Development

Correct Answer: C

49. Which of the following best describes the term “DevOps” in the context of software development?

A. A software development methodology that emphasizes code obfuscation
B. A structured approach that allows an organization to measure processes and understand where strengths and room for improvement exist
C. An integrated approach where team members from development, operations, and other relevant areas collaborate from the beginning of a project
D. A specific type of software that focuses on defect prevention to produce software with a certifiable level of reliability

Correct Answer: C

50. During a routine security assessment, an organization discovered that a significant number of employees were using weak passwords. The Chief Information Security Officer (CISO) wants to implement a solution to mitigate this risk. Which of the following would be the MOST effective solution?

A. Conduct regular security awareness training for employees.
B. Implement a password complexity policy.
C. Limit the number of login attempts.
D. Monitor network traffic for suspicious activity.

Correct Answer: B

51. A company is planning to migrate its on-premises data center to a cloud environment. Which of the following is the PRIMARY concern from a security perspective?

A. Scalability of the cloud environment
B. Integration with existing applications
C. Data sovereignty and compliance
D. Cost-effectiveness of the migration

Correct Answer: C

52. Which of the following cryptographic methods is BEST suited for ensuring the integrity of a message?

A. Symmetric encryption
B. Asymmetric encryption
C. Digital signature
D. Key exchange

Correct Answer: C

53. An organization is implementing a new security policy where all employees must undergo a background check. This policy is an example of which type of security control?

A. Technical control
B. Physical control
C. Administrative control
D. Detective control

Correct Answer: C

You may also like: