CISSP – Practice Test Questions – 2024 – Set 5 (53 Questions)

Dive into the depths of CISSP certification preparation with this series of practice tests designed to challenge and inspire. From legal and regulatory compliance to enterprise security architecture, each article offers a diverse set of questions to test your grasp of essential concepts and principles in information security.

1. How does an asset classification program enhance an organization’s ability to fulfill its objectives and goals?

A. By meeting the audit function’s requirements
B. By controlling changes to production environments
C. By reinforcing principles of ownership
D. By outlining controls to protect valuable assets

Correct Answer: D

2. What is the correct sequence of the asset life cycle phases?

A. Create, use, share, store, archive, and destroy
B. Create, share, use, archive, store, and destroy
C. Create, store, use, share, archive, and destroy
D. Create, share, archive, use, store, and destroy

Correct Answer: A

3. Which of the following is the BEST definition of defensible destruction?

A. The destruction of assets using defense- approved methods
B. The destruction of assets in a controlled, legally defensible, and compliant manner
C. The destruction of assets without the possibility of recovering those assets
D. The destruction of assets using a method that may not allow attackers to recover data

Correct Answer: B

4. In a setting where asset classification has been implemented to meet privacy protection requirements, who is considered the owner and thus responsible for ensuring proper compliance and protection?

A. Data processor
B. Data subject
C. Data controller
D. Data steward

Correct Answer: C

5. Which of the following is NOT a principle of privacy protection from the Organization for Economic Cooperation and Development (OECD)?

A. Collection Limitation Principle
B. Right to be Forgotten Principle
C. Use Limitation Principle
D. Accountability Principle

Correct Answer: B

6. All of the following are necessary for effective retention requirements in organizations EXCEPT

A. Policy
B. Awareness, education, training
C. Understanding of compliance-related requirements
D. Data steward

Correct Answer: D

7. Which of the following is not an objective of baseline security controls used in protecting assets?

A. Specific steps that must be executed
B. Minimum level of security controls
C. It may be associated with specific architectures and systems
D. A consistent reference point

Correct Answer: A

8. Which of the following is the BEST definition of scoping?

A. Altering baselines to apply more specifically
B. Modifying assumptions based on previously learned behavior
C. Limiting general baseline recommendations by removing those that do not apply
D. Responsible protection of assets based on goals and objectives

Correct Answer: C

9. How would you define “scoping” in the context of implementing new standards and frameworks in our organization?

A. Implementing the complete standard or framework but setting higher standards in certain areas
B. Selectively implementing parts of the standard or framework based on relevance
C. Assessing the cost implications of the implementation
D. Evaluating the suitability of the standard for the organization

Correct Answer: B

10. What data destruction method would be most suitable for eliminating data remanence on devices like PROM, flash memory, and SSD drives?

A. Degaussing
B. Overwriting
C. Shredding
D. Formatting

Correct Answer: B

11. In which of the three states of data is encryption protection unfeasible?

A. Data at rest
B. Data in motion
C. Data in use
D. Data on backup tapes

Correct Answer: C

12. What type of memory is utilized in flash drives?

A. SDRAM
B. PROM
C. EEPROM
D. DRAM

Correct Answer: C

13. What method should be employed to erase EPROM memory for a firmware upgrade?

A. It’s not possible to erase EPROM once it’s written.
B. Software programs can be used to erase content.
C. Exposure to UV light.
D. Degaussing the chip after removing it from the motherboard.

Correct Answer: C

14. What are some methods for protecting data while an employee actively uses it?

A. Encryption, clean desk policies, and view angle screens
B. Clean desk policies, view angle screens, and automatic computer locking when not in use
C. A need-to-know policy
D. Clean desk policies, print policies, job rotation, mandatory vacations, and view angle screens

Correct Answer: D

15. What is one way to protect data at rest?

A. Clean desk policy
B. Privacy screens for monitors
C. Encryption
D. Discretionary access control (DAC)

Correct Answer: C

16. On what basis should the duration for keeping backups be decided?

A. Permanently.
B. For a month, as long as we have a full backup of everything.
C. As long as it is useful or required, whichever is longer.
D. All data is required to be kept for one year.

Correct Answer: C

17. Which type of memory is considered volatile?

A. DRAM
B. PROM
C. Flash Memory
D. EEPROM

Correct Answer: A

18. Which type of Read-Only Memory (ROM) can only be programmed once?

A. EPROM
B. EEPROM
C. PROM
D. APROM

Correct Answer: C

19. Why would we opt to use multiple forms of data destruction on our sensitive information?

A. Because it is easier than just a single type of data destruction
B. To ensure there is no data remanence
C. To ensure data is still accessible after the destruction
D. To make sure we have the old drives available

Correct Answer: B

20. What is a typical attack on our data at rest?

A. Cryptanalysis
B. Shoulder surfing
C. Eavesdropping
D. All of these

Correct Answer: A

21. An attacker has stolen one of our backup tapes. What could prevent the data on the tape from being accessible?

A. Proper data handling
B. Proper data storage
C. Proper data retention
D. Proper data encryption

Correct Answer: D

22. Looking at the data classification classes of the US government: data that, if disclosed, won’t cause any harm to national security would be classified as?

A. Unclassified
B. Confidential
C. Secret
D. Top Secret

Correct Answer: A

23. Which of these is a common attack against data at rest?

A. Stealing unencrypted laptops
B. MITM (man in the middle)
C. Screen scrapers
D. Keyloggers

Correct Answer: A

24. In designing our data retention policy, which should not be considered?

A. Which data do we keep?
B. How long do we keep the data?
C. Where do we keep the backup data?
D. How to safely destroy the data after the retention has expired?

Correct Answer: C

25. We have many policies we need to adhere to in our organization. Which of these would be part of our clean desk policy?

A. Minimal use of paper copies and only used while at the desk and in use
B. Cleaning your desk of all the clutter
C. Shred all paper copies of everything
D. Picking up anything you print as soon as you print it

Correct Answer: A

26. What are we trying to eliminate with data disposal?

A. Data remanence
B. How long do we keep the data
C. The data content
D. The data in use

Correct Answer: A

27. When assigning sensitivity to our data, which of these should not be a factor?

A. Who will have access to the data
B. What the data is worth
C. How bad a data exposure would be
D. How the data will be used

Correct Answer: D

28. Which of these would be something we would consider for proper data disposal of SSD drives?

A. Degaussing
B. Formatting
C. Deleting all files
D. Shredding

Correct Answer: D

29. Which of these would be something we can implement to protect our data in use better? (Select all that apply.)

A. Clean desk policy
B. Encryption
C. View angle privacy screen for monitors
D. Print policy
E. Workstation locking

Correct Answer: A, C, D, E

30. Which of these should we encrypt if we are dealing with sensitive data?

A. Hard disks
B. Backup tapes
C. Data sent over the network
D. All of these

Correct Answer: D

31. What would be the role of the data custodian?

A. Make the policies, procedures, and standards that govern our data security
B. Perform the backups and restores
C. Be trained in the policies, procedures, and standards
D. Assign the sensitivity labels and backup frequency of the data

Correct Answer: B

32. Which of these could be a common attack on our data in motion?

A. Cryptanalysis
B. Shoulder surfing
C. Eavesdropping
D. All of these

Correct Answer: C

33. We’ve introduced logging on our backup servers to monitor employee data access. What does this demonstrate?

A. Proper data handling
B. Proper data storage
C. Proper data retention
D. Proper data encryption

Correct Answer: A

34. We’re discarding many hard drives in line with our hardware disposal and no data remanence policy. What method would we use to guarantee zero data remanence on damaged SSD drives?

A. Degauss
B. Overwrite
C. Incinerate
D. Format

Correct Answer: C

35. Who bears the responsibility for our organization’s day-to-day financial leadership?

A. The CEO
B. The CFO
C. The CIO
D. The CSO

Correct Answer: B

36. Which activity would we perform during the e-discovery process?

A. Discover all the electronic files we have in our organization
B. Produce electronic information to internal or external attorneys or legal teams
C. Make sure we keep data long enough in our retention policies for us to fulfill the legal requirements for our state and sector
D. Delete data that has been requested if the retention period has expired

Correct Answer: B

37. How is data classified in the US government’s data classification scheme if its disclosure could cause serious damage to national security?

A. Unclassified
B. Confidential
C. Secret
D. Top Secret

Correct Answer: C

38. For what type of data would we want to implement end-to-end encryption?

A. Data at rest
B. Data in use
C. Data in motion
D. All of these

Correct Answer: C

39. What is the primary goal of information classification within an organization?

A. To increase the workload of IT staff
B. To facilitate communication between departments
C. To protect the confidentiality, integrity, and availability of data
D. To make data more accessible

Correct Answer: C

40. Which one of the following is NOT a typical level of data classification in a private sector organization?

A. Proprietary
B. Confidential
C. Top Secret
D. Public

Correct Answer: C

41. Who is typically responsible for data classification in an organization?

A. IT department
B. Data owner
C. Security team
D. All employees

Correct Answer: B

42. What is the role of a data custodian in an organization?

A. Define data classification levels
B. Implement controls as defined by the data owner
C. Determine how long data should be retained
D. Create new datasets

Correct Answer: B

43. Which of the following best describes data remanence?

A. Data that remains on a storage medium after it has been deleted
B. Data that is stored in the cloud
C. Data that is currently in use
D. Data that is being transmitted over a network

Correct Answer: A

44. What is the purpose of a data retention policy?

A. To define how long data should be kept before it is deleted
B. To ensure data is accessible to all employees
C. To classify data according to its sensitivity
D. To protect data from malware attacks

Correct Answer: A

45. Which one of the following is NOT a factor in determining data retention periods?

A. Regulatory requirements
B. Business needs
C. The size of the data
D. Legal considerations

Correct Answer: C

46. What is the primary goal of privacy laws and regulations?

A. To make data more accessible
B. To protect the rights of individuals with respect to their personal data
C. To classify data according to its sensitivity
D. To ensure data is retained for the correct period of time

Correct Answer: B

47. When considering the life cycle of information, what is typically the final stage?

A. Creation
B. Distribution
C. Storage
D. Destruction

Correct Answer: D

48. What type of security control is data encryption?

A. Preventative
B. Detective
C. Corrective
D. Recovery

Correct Answer: A

49. Which framework is recognized for its comprehensive life cycle approach to security architecture, from assessing business requirements to establishing a “chain of traceability” through strategy, concept, design, implementation, and metrics stages?

A. Zachman
B. SABSA
C. ISO 27000
D. TOGAF

Correct Answer: B

50. Within ITIL’s Service Portfolio, which component primarily focuses on transforming designs into operational services via a project management standard?

A. Service strategy
B. Service design
C. Service transition
D. Service operations

Correct Answer: C

51. What is the BEST method to compile detailed security requirements?

A. Threat modeling, covert channels, and data classification
B. Data classification, risk assessments, and covert channels
C. Risk assessments, covert channels, and threat modeling
D. Threat modeling, data classification, and risk assessments

Correct Answer: D

52. Which international security standard is renowned for codifying best security practices and standardizing an organization’s Information Security Management System (ISMS) for certification purposes?

A. ISO 15408
B. ISO 27001
C. ISO 9001
D. ISO 9146

Correct Answer: B

53. What describes the rules that must be put into place to ensure compliance with security requirements?

A. Security kernel
B. Security policy
C. Security model
D. Security reference monitor

Correct Answer: B

You may also like: