CISSP – Practice Test Questions – 2024 – Set 3 (53 Questions)

Explore the intricacies of information security with this comprehensive CISSP practice test series. Whether you’re honing your skills in identity and access management or delving into the nuances of security architecture and engineering, each article provides an opportunity to reinforce your understanding and readiness for the CISSP exam.

1. Which principle is violated if one individual in the finance department has the ability to add vendors to the vendor database and subsequently make payments to the vendor?

A. A well-formed transaction
B. Separation of duties
C. Least privilege
D. Data sensitivity level

Correct Answer: B

2. What is the best way to mitigate collusion?

A. Job rotation
B. Data classification
C. Defining job sensitivity level
D. Least privilege

Correct Answer: A

3. Who is best suited to make decisions about data access?

A. User managers
B. Data owners
C. Senior management
D. Application developers

Correct Answer: B

4. What is the most significant source of cybercrime risk?

A. Outsiders
B. Nation-states
C. Insiders
D. Script kiddies

Correct Answer: C

5. What is the primary obstacle in combating computer crime?

A. Computer criminals are generally smarter than computer investigators.
B. Adequate funding to stay ahead of the computer criminals.
C. Activity associated with computer crime is truly international.
D. There are so many more computer criminals than investigators that it is impossible to keep up.

Correct Answer: C

6. What discipline does computer forensics combine with computer science, information technology, and engineering?

A. Law
B. Information systems
C. Analytical thought
D. The scientific method

Correct Answer: A

7. Which principle allows an investigator to identify aspects of a person responsible for a crime, based on the residual traces left behind while stealing information?

A. Meyer’s principle of legal impunity
B. Criminalistic principles
C. IOCE/Group of 8 Nations principles for computer forensics
D. Locard’s principle of exchange

Correct Answer: D

8. Which of the following is a part of the fundamental principles of evidence?

A. Authenticity, redundancy, and admissibility
B. Completeness, authenticity, and admissibility
C. Completeness, redundancy, and authenticity
D. Redundancy, admissibility, and completeness

Correct Answer: B

9. Which of the following is not listed as a stage in incident response?

A. Documentation
B. Prosecution
C. Containment
D. Investigation

Correct Answer: B

10. Which type of law primarily focuses on the abstract concepts and is greatly influenced by the writings of legal scholars and academics?

A. Criminal law
B. Civil law
C. Religious law
D. Administrative law

Correct Answer: B

11. Which category of intellectual property protection covers the expression of ideas rather than the ideas themselves?

A. Trademark
B. Patent
C. Copyright
D. Trade secret

Correct Answer: C

12. Which type of intellectual property safeguards the goodwill that a merchant or vendor invests in its products?

A. Trademark
B. Patent
C. Copyright
D. Trade secret

Correct Answer: A

13. Which of the following represent types of software licensing?

A. Freeware, open source, and commercial
B. Commercial, academic, and open source
C. Academic, freeware, and open source
D. Freeware, commercial, and academic

Correct Answer: D

14. What is most directly concerned with the rights and duties of individuals and organizations in relation to the gathering, usage, storage, and sharing of personal data?

A. Privacy
B. Secrecy
C. Availability
D. Reliability

Correct Answer: A

15. Which of the following subphases are included in the triage process of incident response?

A. Collection, transport, testimony
B. Traceback, feedback, loopback
C. Detection, identification, notification
D. Confidentiality, integrity, availability

Correct Answer: C

16. The integrity of a forensic bit stream image is verified by

A. Comparing hash totals to the original source
B. Keeping good notes
C. Taking pictures
D. Encrypted keys

Correct Answer: A

17. In the context of digital evidence, the crime scene should

A. Remain unaltered at all times
B. Be fully replicable in a legal setting
C. Be located in a single country
D. Have the minimum possible level of contamination

Correct Answer: D

18. In the context of outsourcing IT systems

A. All regulatory and compliance requirements must be transferred to the provider.
B. The outsourcing organization is relieved from compliance obligations.
C. The outsourced IT systems are exempt from compliance obligations.
D. The provider is exempt from compliance obligations.

Correct Answer: A

19. How does the ISC2 Code of Ethics address conflicts between canons?

A. There can never be conflicts between canons.
B. Through a process of adjudication.
C. Based on the order of the canons.
D. By having all canon conflicts reviewed by the board of directors.

Correct Answer: C

20. Which law in the United States requires federal agencies to develop, document, and implement an agency-wide program to provide security for the information systems that support its operations and assets?

A. Health Insurance Portability and Accountability Act (HIPAA)
B. Gramm-Leach-Bliley Act (GLBA)
C. Federal Information Security Management Act (FISMA)
D. Sarbanes-Oxley Act (SOX)

Correct Answer: C

21. The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy. Which of the following principles is NOT stated in GDPR?

A. Data minimization
B. Consent
C. Data localization
D. Accountability

Correct Answer: C

22. The _____________ provides guidance for the protection of electronically protected health information.

A. HIPAA Security Rule
B. Sarbanes-Oxley Act
C. Computer Fraud and Abuse Act
D. Federal Information Security Management Act

Correct Answer: A

23. Which of the following laws mandates that organizations must have adequate security measures in place to protect customer data?

A. Sarbanes-Oxley Act (SOX)
B. Gramm-Leach-Bliley Act (GLBA)
C. Data Protection Act (DPA)
D. Federal Information Security Management Act (FISMA)

Correct Answer: B

24. The purpose of the _____________ is to ensure the accuracy, fairness, and privacy of the information in a consumer’s credit reports.

A. Fair Credit Reporting Act (FCRA)
B. General Data Protection Regulation (GDPR)
C. Gramm-Leach-Bliley Act (GLBA)
D. Federal Information Security Management Act (FISMA)

Correct Answer: A

25. What is the primary purpose of the Children’s Online Privacy Protection Act (COPPA)?

A. To regulate how websites collect data about children under 13
B. To regulate how websites collect data about all users
C. To protect children from inappropriate content online
D. To protect the privacy of adults when they use websites

Correct Answer: A

26. What is the primary purpose of the Payment Card Industry Data Security Standard (PCI DSS)?

A. To protect customer data during online transactions
B. To ensure the privacy of customer data
C. To ensure the secure disposal of customer data
D. To ensure the security of credit card transactions

Correct Answer: D

27. The _____________ outlines procedures to enhance the protection of critical infrastructure from cyber threats.

A. Executive Order 13636
B. HIPAA Security Rule
C. Federal Information Security Management Act (FISMA)
D. Computer Fraud and Abuse Act

Correct Answer: A

28. Which law is designed to combat identity theft by requiring businesses to destroy sensitive information derived from consumer reports?

A. Fair and Accurate Credit Transactions Act (FACTA)
B. General Data Protection Regulation (GDPR)
C. Sarbanes-Oxley Act (SOX)
D. Federal Information Security Management Act (FISMA)

Correct Answer: A

29. Which of the following laws makes it a crime to gain unauthorized access to protected computer systems?

A. Computer Fraud and Abuse Act (CFAA)
B. Fair Credit Reporting Act (FCRA)
C. Federal Information Security Management Act (FISMA)
D. Sarbanes-Oxley Act (SOX)

Correct Answer: A

30. Imagine you are a cybersecurity analyst for a retail company. The company has assessed that the Single Loss Expectancy (SLE) for a data breach is $500,000. The exposure factor (EF) for such an event is estimated at 0.85, and the Annualized Rate of Occurrence (ARO) is 0.60. Additionally, the residual risk is calculated to be $200,000. Based on these metrics, what would be the resulting Annualized Loss Expectancy (ALE) for a data breach?

A. $255,000
B. $510,000
C. $300,000
D. $425,000

Correct Answer: D

31. The correct sequence for the following formulas should be

A. ALE, residual risk, SLE, ARO
B. ALE, ARO, SLE, residual risk
C. ARO, SLE, ALE, residual risk
D. SLE, ARO, ALE, residual risk

Correct Answer: D

32. What is the duration of copyright protection in both the United States and the European Union?

A. The author’s life plus 20 years
B. The author’s life plus 30 years
C. The author’s life plus 70 years
D. The author’s life plus 100 years

Correct Answer: C

33. Which term refers to a flaw, loophole, oversight, or error that leaves an organization open to potential attack or harm?

A. Risk
B. Vulnerability
C. Threat
D. Exploit

Correct Answer: B

34. Which of the following security documents is the broadest in scope?

A. Procedures
B. Standards
C. Policies
D. Baselines

Correct Answer: C

35. Which role within an organization is responsible for assigning sensitivity labels to information assets?

A. Management
B. The auditor
C. The user
D. The owner

Correct Answer: D

36. If the cost of implementing a countermeasure exceeds the value of the asset it’s meant to protect, which approach should be preferred?

A. Do nothing
B. Transfer the risk
C. Mitigate the risk
D. Increase the cost of exposure

Correct Answer: B

37. Which ISO document serves as a standard for information security management?

A. ISO 27001
B. ISO 27002
C. ISO 27004
D. ISO 27799

Correct Answer: A

38. Which of the following accurately describes the risk management techniques?

A. Risk acceptance, risk transference, risk avoidance, risk mitigation
B. Risk acceptance, risk containment, risk avoidance, risk migration
C. Risk acceptance, risk mitigation, risk containment, risk quantification
D. Risk avoidance, risk migration, risk containment, risk quantification

Correct Answer: A

39. Which of the following identifies a model that specifically targets security and not governance of an entire enterprise?

A. The Zachman framework
B. COBIT
C. COSO
D. SABSA

Correct Answer: D

40. Which term allows the management to demonstrate that they took necessary steps to prevent negligence in lawsuits, even if their actions weren’t flawless?

A. Due care
B. Prudency
C. Due diligence
D. Threat agent

Correct Answer: A

41. Which term refers to the method of gathering information by interviewing individuals anonymously?

A. ISO/IEC 27001
B. Qualitative valuation
C. The Delphi method
D. Quantitative valuation

Correct Answer: C

42. What is the suitable standard for governing third-party providers?

A. A nondisclosure agreement (NDA)
B. An acceptable use policy
C. The same level as employees
D. The same level as defined by the ISC2 Code of Ethics

Correct Answer: C

43. Which term refers to the expected cost associated with a single loss event?

A. Annualized loss expectancy (ALE)
B. Exposure factor (EF)
C. Asset value (AV)
D. Single loss expectancy (SLE)

Correct Answer: D

44. What is the rationale behind an enterprise reassessing the classification of its data files and records at least once a year?

A. To adhere to the stipulations of the Internet Architecture Board
B. Because the worth of data varies as time progresses
C. Due to the necessity of mitigating new threats
D. To safeguard the data’s confidentiality

Correct Answer: B

45. What should be the primary concern of management when establishing a governance framework?

A. Enhancing profits
B. Evading losses
C. Catering to the needs of the business
D. Ensuring safety

Correct Answer: C

46. When it comes to forensically examining digital evidence, which is the most accurate description of the priorities?

A. Carry out an analysis of a bit-level duplicate of the disk.
B. Examine the log files on the duplicated disk.
C. Perform steganographic analysis on the duplicated disk.
D. Detect any harmful code present on the duplicated disk.

Correct Answer: A

47. Which of the following illustrates an instance of self-regulation?

A. Sarbanes-Oxley (SOX)
B. Gramm-Leach-Bliley Act (GLBA)
C. Payment Card Industry Data Security Standard (PCI DSS)
D. Third-party governance

Correct Answer: C

48. What are the possible actions that can be taken with residual risk?

A. It can be either allocated or accepted.
B. It can be either pinpointed or appraised.
C. It can be either lessened or computed.
D. It can be either unveiled or evaluated.

Correct Answer: A

49. Which element does not constitute part of risk analysis?

A. Assets
B. Threats
C. Vulnerabilities
D. Countermeasures

Correct Answer: D

50. What is it that security safeguards and controls are incapable of doing?

A. Risk reduction
B. Risk avoidance
C. Risk transfer
D. Risk analysis

Correct Answer: D

51. Which of the following is most associated with risk acceptance?

A. Risk detection
B. Risk prevention
C. Risk tolerance
D. Risk correction

Correct Answer: C

52. The quantity of risk an organization can endure should be based on what?

A. Technological level
B. Acceptable level
C. Affordable level
D. Measurable level

Correct Answer: B

53. In the context of IT management and governance, the Control Objectives for Information and Related Technology (COBIT) framework serves as a valuable tool. Who among the following roles would typically choose and utilize the COBIT framework to balance security controls and business requirements?

A. Data owners
B. Information stewards
C. Enterprise owners
D. Data custodians

Correct Answer: C

You may also like: