Embark on your CISSP certification journey with confidence as you tackle the questions in this practice test series. From safeguarding organizational assets to mastering secure software development practices, each article offers a unique set of challenges to test your knowledge and expertise in the field of cybersecurity.
1. What does “IDS” stand for in the context of information security?
A. Information Data System
B. Integrated Defense Strategy
C. Intrusion Detection System
D. Internal Domain Security
Correct Answer: C
2. What type of security control is a biometric scanner?
A. Physical
B. Technical
C. Administrative
D. Operational
Correct Answer: B
3. What are the three primary components of risk?
A. Threat, consequence, vulnerability
B. Impact, threat, vulnerability
C. Asset, threat, impact
D. Asset, impact, consequence
Correct Answer: B
4. Which risk treatment option involves an organization deciding to tolerate a risk without implementing additional controls?
A. Risk avoidance
B. Risk mitigation
C. Risk transfer
D. Risk acceptance
Correct Answer: D
5. Which of the following is NOT a component of the ISC2 Code of Ethics?
A. Protect society and the infrastructure
B. Act honorably, honestly, and legally
C. Provide diligent and competent service
D. Prioritize personal gain over professional duties
Correct Answer: D
6. Which of the following risk management frameworks is developed by the National Institute of Standards and Technology (NIST)?
A. ISO/IEC 27005
B. COSO ERM
C. FAIR
D. NIST SP 800-37
Correct Answer: D
7. In the context of business continuity and disaster recovery planning, what does it mean to “identify critical business functions”?
A. Determining the most essential functions and processes of the organization
B. Identifying potential disruptions to business functions
C. Implementing recovery plans for all business functions
D. Regularly testing business functions for potential disruptions
Correct Answer: A
8. Which of the following best describes a qualitative risk assessment?
A. It uses numerical values to estimate risk.
B. It relies on subjective judgments to rank risk.
C. It calculates the financial value of a risk.
D. It identifies the vulnerabilities that might be exploited by threats.
Correct Answer: B
9. What does the asset valuation method of “business impact” involve?
A. Calculating the cost of maintaining or replacing an asset
B. Determining the asset’s worth based on market demand
C. Evaluating the potential impact on operations if the asset is compromised
D. Considering the asset’s contribution to the organization’s intellectual property
Correct Answer: C
10. Which of the following is NOT a key element of effective risk communication and reporting?
A. Clarity
B. Timeliness
C. Consistency
D. Complexity
Correct Answer: D
11. Which of the following activities is NOT involved in regular risk monitoring and review?
A. Tracking risk treatment progress
B. Reviewing risk assessments
C. Analyzing incident reports
D. Implementing risk treatment plans
Correct Answer: D
12. In the context of compliance and regulatory considerations, what does it mean to “conduct compliance audits”?
A. Determine which laws and regulations apply to the organization
B. Establish policies and procedures that address legal and regulatory requirements
C. Perform regular assessments of the organization’s adherence to relevant laws and regulations
D. Develop and maintain incident response plans
Correct Answer: C
13. Which one of the following is not a risk treatment option?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk expansion
Correct Answer: D
14. What does FAIR in the risk management framework stand for?
A. Factual Analysis of Intrinsic Risk
B. Factor Analysis of Information Risk
C. Formal Assessment of Incident Response
D. Functional Analysis of Infrastructure Resilience
Correct Answer: B
15. What does the risk treatment option “risk transfer” involve?
A. Eliminating the risk by discontinuing the activity that causes it
B. Acknowledging the risk and deciding to tolerate it
C. Implementing controls to reduce the risk
D. Transferring the risk to a third party
Correct Answer: D
16. Which of the following is not a type of control used in risk mitigation strategies?
A. Technical controls
B. Administrative controls
C. Physical controls
D. Emotional controls
Correct Answer: D
17. Which of the following is not a part of the risk assessment process?
A. Identify assets
B. Identify threats
C. Identify vulnerabilities
D. Assess operational efficiency
Correct Answer: D
18. What is the primary purpose of business continuity and disaster recovery planning?
A. To prevent disasters from occurring
B. To prepare for, respond to, and recover from disruptions or disasters
C. To eliminate all risks associated with the organization
D. To ensure all staff are trained in emergency procedures
Correct Answer: B
19. Which asset valuation methodology considers the asset’s contribution to the organization’s intellectual property, customer trust, or competitive advantage?
A. Financial value
B. Business impact
C. Market value
D. Intangible value
Correct Answer: D
20. What does the “canons” in the ISC2 Code of Ethics refer to?
A. A list of security technologies
B. A set of fundamental principles
C. A set of regulatory laws
D. A list of cybersecurity certifications
Correct Answer: B
21. What is the primary difference between risk acceptance and risk avoidance?
A. Risk acceptance eliminates the risk, while risk avoidance tolerates the risk.
B. Risk acceptance tolerates the risk, while risk avoidance eliminates the risk.
C. Risk acceptance transfers the risk, while risk avoidance mitigates the risk.
D. Risk acceptance mitigates the risk, while risk avoidance transfers the risk.
Correct Answer: B
22. Which of the following is not typically included in a comprehensive enterprise risk management program according to the COSO ERM framework?
A. Risk governance and culture
B. Risk strategy and objective setting
C. Risk in execution and performance
D. Risk in product design and marketing
Correct Answer: B
23. In the context of risk management, what is the primary role of a quantitative risk assessment?
A. To make subjective judgments about risks
B. To rank risks based on expert opinion
C. To use numerical values to estimate risks
D. To categorize risks as low, medium, or high
Correct Answer: C
24. Which of the following is not a primary component of risk, as defined in risk management?
A. Threats
B. Vulnerabilities
C. Impacts
D. Controls
Correct Answer: D
25. What does the NIST SP 800-37 framework primarily provide guidelines for?
A. Implementing an information security risk management process
B. Implementing a risk management process for federal information systems
C. Providing a quantitative approach to risk management
D. Developing a comprehensive enterprise risk management program
Correct Answer: B
26. What is one key element of effective risk communication and reporting?
A. Using complex technical terms to explain risks
B. Communicating risks as infrequently as possible
C. Presenting information in a clear and understandable
D. Presenting information in a clear and understandable manner
Correct Answer: D
27. In the context of risk management, why is it important to integrate risk management into an organization’s business processes?
A. It helps to increase the number of risks the organization faces.
B. It allows risk considerations to be part of decision-making processes and overall business strategy.
C. It ensures that risks are only handled by the risk management department.
D. It reduces the need for regular risk monitoring and review.
Correct Answer: B
28. Which of the following best describes risk acceptance?
A. The organization reduces the risk by implementing controls.
B. The organization acknowledges the risk and decides to tolerate it.
C. The organization transfers the risk to a third party.
D. The organization eliminates the risk source.
Correct Answer: B
29. What is the primary purpose of asset valuation in the context of risk management?
A. To estimate the direct monetary value of an asset
B. To identify potential threats to the asset
C. To assess the potential impact and likelihood of threats to the asset
D. To prioritize the asset for risk treatment
Correct Answer: A
30. Which of the following is a key component of effective risk communication and reporting?
A. Using complex technical terms and jargon
B. Communicating risks and risk management activities irregularly
C. Tailoring the content and format of risk reports to the needs of the intended audience
D. Keeping risk communication and reporting inconsistent across the organization
Correct Answer: C
31. What is the main goal of business continuity and disaster recovery planning?
A. To eliminate all risks faced by the organization
B. To ensure that the organization can continue operating during and after a disruption or disaster
C. To prioritize risks for treatment
D. To transfer the financial risk of a disruption or disaster to a third party
Correct Answer: B
32. According to the ISC2 Code of Ethics, which of the following is a primary ethical obligation of a security professional?
A. To advance one’s own professional interests
B. To provide diligent and competent service to principals
C. To avoid service to the community
D. To use their skills primarily for personal gain
Correct Answer: B
33. Which of the following is not a type of control mentioned in the risk mitigation strategies?
A. Technical
B. Administrative
C. Physical
D. Spiritual
Correct Answer: D
34. Which of the following is a key component of the risk monitoring and review process?
A. Ignoring risk treatment progress
B. Avoiding reviewing risk assessments
C. Tracking risk treatment progress
D. Omitting incident report analysis
Correct Answer: C
35. How does integrating risk management into an organization’s business processes benefit the organization?
A. It decreases the organization’s profitability.
B. It ensures that risk considerations are part of decision-making processes.
C. It eliminates all the risks faced by the organization.
D. It restricts stakeholder involvement.
Correct Answer: B
36. Which of the following activities is not a part of compliance and regulatory considerations?
A. Identifying applicable laws and regulations
B. Developing policies and procedures
C. Ignoring compliance audits
D. Implementing incident response plans
Correct Answer: C
37. Which of the following is not a step in the risk assessment process?
A. Identify assets
B. Identify threats
C. Ignore vulnerabilities
D. Prioritize risks
Correct Answer: C
38. Which of the following risk treatment options involves transferring the risk to a third party?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transfer
Correct Answer: D
39. What does the intangible value of an asset refer to in the context of asset valuation methodologies?
A. The asset’s direct monetary value
B. The asset’s market demand
C. The asset’s contribution to the organization’s intellectual property or customer trust
D. The asset’s impact on the organization’s operations
Correct Answer: C
40. What is the most effective method to ascertain the value of an intangible asset?
A. Calculate the physical storage costs and multiply by the company’s projected lifespan
B. Engage a financial or accounting expert to determine the asset’s profit returns
C. Examine the intangible asset’s depreciation over the previous three years
D. Refer to the historical cost of acquiring or developing the intangible asset
Correct Answer: B
41. What is the key characteristic of qualitative risk assessment?
A. It can be executed easily and by individuals with basic knowledge of the risk assessment process.
B. It can be executed by individuals with basic knowledge of risk assessment and utilizes specific metrics for risk calculation.
C. It uses specific metrics for risk calculation and can be easily implemented.
D. It can be done by individuals with limited risk assessment knowledge and utilizes specific metrics for risk calculation.
Correct Answer: A
42. How is Single Loss Expectancy (SLE) computed?
A. By multiplying the asset value and the Annualized Rate of Occurrence (ARO)
B. By using asset value, Local Annual Frequency Estimate (LAFE), and Standard Annual Frequency Estimate (SAFE)
C. By multiplying the asset value and exposure factor
D. By using the Local Annual Frequency Estimate and the Annualized Rate of Occurrence
Correct Answer: C
43. What are the factors to consider when deciding on the type of risk assessment to perform?
A. Organizational culture, probability of exposure, and budget
B. Budget, resource capabilities, and probability of exposure
C. Resource capabilities, probability of exposure, and budget
D. Organizational culture, budget, and resource capabilities
Correct Answer: D
44. What does security awareness training encompass?
A. Legal security compliance objectives
B. Security roles and responsibilities of staff
C. High-level results of vulnerability assessments
D. Specialized curriculum tasks, coursework, and an accredited institution
Correct Answer: B
45. What is the purpose of a signed user acknowledgment of the corporate security policy?
A. To ensure that users have read the policy
B. To ensure that users understand the policy, as well as the consequences of not adhering to the policy
C. Can be waived if the organization is satisfied that users have a good understanding of the policy
D. To protect the organization if a user’s behavior violates the policy
Correct Answer: D
46. What does effective security management accomplish?
A. Achieves security at the lowest cost
B. Reduces risk to an acceptable level
C. Prioritizes security for new products
D. Implements patches in a timely manner
Correct Answer: B
47. What threats does the principle of availability protect information from?
A. Denial-of-service attacks, fires, floods, hurricanes, and unauthorized transactions
B. Fires, floods, hurricanes, unauthorized transactions, and unreadable backup tapes
C. Unauthorized transactions, fires, floods, hurricanes, and unreadable backup tapes
D. Denial-of-service attacks, fires, floods, hurricanes, and unreadable backup tapes
Correct Answer: D
48. To maintain impartiality, the security officer could report to which of the following?
A. CEO, application development, or CFO
B. Chief Information Officer, CFO, or application development
C. CFO, CEO, or Chief Information Officer
D. Application development, CFO, or CEO
Correct Answer: C
49. What is the best use of tactical security plans?
A. To establish high-level security policies
B. To enable enterprise-wide security management
C. To minimize downtime
D. To deploy new security technology
Correct Answer: D
50. Who is responsible for the implementation of information security?
A. Everyone
B. Senior management
C. Security officer
D. Data owners
Correct Answer: A
51. In which phase is security likely to be the most costly?
A. Design
B. Rapid prototyping
C. Testing
D. Implementation
Correct Answer: D
52. What attributes should a security policy have to remain relevant and meaningful over time?
A. Directive words such as shall, must, or will, technical specifications, and should be short in length
B. A defined policy development process, should be short in length, and contain directive words such as shall, must, or will
C. Short in length, contain technical specifications, and directive words such as shall, must, or will
D. Directive words such as shall, must, or will, a defined policy development process, and is short in length
Correct Answer: D
53. Which among the following best describes an intangible asset’s valuation process?
A. Multiplying the physical storage costs by the company’s expected lifespan
B. Collaborating with finance or accounting professionals to ascertain the profit returned by the asset
C. Reviewing the intangible asset’s depreciation over the past three years
D. Using the historical acquisition or development cost of the intangible asset
Correct Answer: B
You may also like:- 80 Most Important Network Fundamentals Questions With Answers
- 100 Most Important SOC Analyst Interview Questions
- Top 40 Cyber Security Questions and Answers
- Top 10 React JS Interview Theory Questions and Answers
- CISSP – Practice Test Questions – 2024 – Set 20 (53 Questions)
- Part 2: Exploring Deeper into CCNA – Wireless (145 Practice Test Questions)
- Part 1: Mastering CCNA – Wireless (145 Practice Test Questions)
- [1z0-1085-20] Oracle Cloud Infrastructure Foundations 2020 Associate MCQ Questions – Part 3
- [1z0-1085-20] Oracle Cloud Infrastructure Foundations 2020 Associate MCQ Questions – Part 2
- [1z0-1085-20] Oracle Cloud Infrastructure Foundations 2020 Associate MCQ Questions – Part 1
