Certified Information Systems Security Professional (CISSP)
Last Update 2 days ago
Total Questions : 1487
CISSP is stable now with all latest exam questions are added 2 days ago. Just download our Full package and start your journey with ISC Certified Information Systems Security Professional (CISSP) certification. All these ISC CISSP practice exam questions are real and verified by our Experts in the related industry fields.
A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with?
Which of the following represents the GREATEST risk to data confidentiality?
When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?
Intellectual property rights are PRIMARY concerned with which of the following?
An important principle of defense in depth is that achieving information security requires a balanced focus on which PRIMARY elements?
Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas?
An organization has discovered that users are visiting unauthorized websites using anonymous proxies.
Which of the following is the BEST way to prevent future occurrences?
Which of the following could be considered the MOST significant security challenge when adopting DevOps practices compared to a more traditional control framework?
An Information Technology (IT) professional attends a cybersecurity seminar on current incident response methodologies.
What code of ethics canon is being observed?
Match the name of access control model with its associated restriction.
Drag each access control model to its appropriate restriction access on the right.
What MUST each information owner do when a system contains data from multiple information owners?
A Security Operations Center (SOC) receives an incident response notification on a server with an active
intruder who has planted a backdoor. Initial notifications are sent and communications are established.
What MUST be considered or evaluated before performing the next step?
Which of the following is a common feature of an Identity as a Service (IDaaS) solution?
Which of the following steps should be performed FIRST when purchasing Commercial Off-The-Shelf (COTS) software?
Which of the following is MOST appropriate for protecting confidentially of data stored on a hard drive?
What is the MOST significant benefit of an application upgrade that replaces randomly generated session keys with certificate based encryption for communications with backend servers?
If an attacker in a SYN flood attack uses someone else's valid host address as the source address, the system under attack will send a large number of Synchronize/Acknowledge (SYN/ACK) packets to the
Refer to the information below to answer the question.
A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classification. The organization is subject to periodic independent reviews of access controls and violations. The organization uses wired and wireless networks and remote access. The organization also uses secure connections to branch offices and secure backup and recovery strategies for selected information and processes.
Which of the following BEST describes the access control methodology used?
Refer to the information below to answer the question.
An organization has hired an information security officer to lead their security department. The officer has adequate people resources but is lacking the other necessary components to have an effective security program. There are numerous initiatives requiring security involvement.
The effectiveness of the security program can PRIMARILY be measured through
The use of private and public encryption keys is fundamental in the implementation of which of the following?
Which security service is served by the process of encryption plaintext with the sender’s private key and decrypting cipher text with the sender’s public key?
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?
Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?
An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests.
Which contract is BEST in offloading the task from the IT staff?
Which of the following is MOST important when assigning ownership of an asset to a department?
Which of the following BEST describes the responsibilities of a data owner?
When implementing a data classification program, why is it important to avoid too much granularity?
Which of the following is an initial consideration when developing an information security management system?
A software security engineer is developing a black box-based test plan that will measure the system's reaction to incorrect or illegal inputs or unexpected operational errors and situations. Match the functional testing techniques on the left with the correct input parameters on the right.
What is the MOST efficient way to secure a production program and its data?
Which of the following command line tools can be used in the reconnaisance phase of a network vulnerability assessment?
In which order, from MOST to LEAST impacted, does user awareness training reduce the occurrence of the events below?
Which of the following is the BEST approach to take in order to effectively incorporate the concepts of business continuity into the organization?
Which of the following is most helpful in applying the principle of LEAST privilege?
Which of the following is of GREATEST assistance to auditors when reviewing system configurations?
A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation. What MUST an administrator review to audit a user’s access to data files?
Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?
In which of the following programs is it MOST important to include the collection of security process data?
Which of the following could cause a Denial of Service (DoS) against an authentication system?
At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located?
Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?
An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly implement a control?
Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?
An external attacker has compromised an organization’s network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information?
Which of the following is the BEST network defense against unknown types of attacks or stealth attacks in progress?
Which of the following factors contributes to the weakness of Wired Equivalent Privacy (WEP) protocol?
When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?
In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ?
Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test?
Although code using a specific program language may not be susceptible to a buffer overflow attack,
In which identity management process is the subject’s identity established?
When evaluating third-party applications, which of the following is the GREATEST responsibility of Information Security?
Which of the following restricts the ability of an individual to carry out all the steps of a particular process?
Which of the following would BEST describe the role directly responsible for data within an organization?
What operations role is responsible for protecting the enterprise from corrupt or contaminated media?
When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?
Which of the following is a remote access protocol that uses a static authentication?
Which of the following media sanitization techniques is MOST likely to be effective for an organization using public cloud services?
Which of the following is the MOST important goal of information asset valuation?
A proxy firewall operates at what layer of the Open System Interconnection (OSI) model?
What access control scheme uses fine-grained rules to specify the conditions under which access to each data item or applications is granted?
Physical assets defined in an organization’s Business Impact Analysis (BIA) could include which of the following?
An organization that has achieved a Capability Maturity model Integration (CMMI) level of 4 has done which of the following?
A security architect is responsible for the protection of a new home banking system. Which of the following solutions can BEST improve the confidentiality and integrity of this external system?
Which of the following technologies would provide the BEST alternative to anti-malware software?
Which of the below strategies would MOST comprehensively address the risk of malicious insiders leaking sensitive information?
When a system changes significantly, who is PRIMARILY responsible for assessing the security impact?
A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation?
Who is essential for developing effective test scenarios for disaster recovery (DR) test plans?
A security professional should consider the protection of which of the following elements FIRST when developing a defense-in-depth strategy for a mobile workforce?
An organization wants to enable uses to authenticate across multiple security domains. To accomplish this they have decided to use Federated Identity Management (F1M). Which of the following is used behind the scenes in a FIM deployment?
What is the MOST common component of a vulnerability management framework?
Which programming methodology allows a programmer to use pre-determined blocks of code end consequently reducing development time and programming costs?
Recovery strategies of a Disaster Recovery planning (DRIP) MUST be aligned with which of the following?
With what frequency should monitoring of a control occur when implementing Information Security Continuous Monitoring (ISCM) solutions?
A continuous information security monitoring program can BEST reduce risk through which of the following?
Which of the following types of business continuity tests includes assessment of resilience to internal and external risks without endangering live operations?
A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following?
What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application?
What would be the MOST cost effective solution for a Disaster Recovery (DR) site given that the organization’s systems cannot be unavailable for more than 24 hours?
Which of the following is the FIRST step in the incident response process?
An organization is found lacking the ability to properly establish performance indicators for its Web hosting solution during an audit. What would be the MOST probable cause?
What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?
Which of the following is a PRIMARY advantage of using a third-party identity service?
A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its 20 different supplier companies. Which of the following is the BEST solution for the manufacturing organization?
What is the BEST approach for controlling access to highly sensitive information when employees have the same level of security clearance?
Which of the following assures that rules are followed in an identity management architecture?
A system is developed so that its business users can perform business functions but not user administration functions. Application administrators can perform administration functions but not user business functions. These capabilities are BEST described as
An organization publishes and periodically updates its employee policies in a file on their intranet. Which of the following is a PRIMARY security concern?
Which of the following is critical for establishing an initial baseline for software components in the operation and maintenance of applications?
Which of the following secure startup mechanisms are PRIMARILY designed to thwart attacks?
What is the PRIMARY reason for ethics awareness and related policy implementation?
Multi-Factor Authentication (MFA) is necessary in many systems given common types of password attacks. Which of the following is a correct list of password attacks?
What is the BEST method to detect the most common improper initialization problems in programming languages?
The use of proximity card to gain access to a building is an example of what type of security control?
Refer to the information below to answer the question.
A security practitioner detects client-based attacks on the organization’s network. A plan will be necessary to address these concerns.
In the plan, what is the BEST approach to mitigate future internal client-based attacks?
Refer to the information below to answer the question.
A security practitioner detects client-based attacks on the organization’s network. A plan will be necessary to address these concerns.
In addition to web browsers, what PRIMARY areas need to be addressed concerning mobile code used for malicious purposes?
Refer to the information below to answer the question.
In a Multilevel Security (MLS) system, the following sensitivity labels are used in increasing levels of sensitivity: restricted, confidential, secret, top secret. Table A lists the clearance levels for four users, while Table B lists the security classes of four different files.
In a Bell-LaPadula system, which user has the MOST restrictions when writing data to any of the four files?
What is the MOST important consideration from a data security perspective when an organization plans to relocate?
All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that
Which of the following actions will reduce risk to a laptop before traveling to a high risk area?
A company wants to store data related to users on an offsite server. What method can be deployed to protect the privacy of the user’s information while maintaining the field-level configuration of the database?
The security operations center (SOC) has received credible intelligence that a threat actor is planning to attack with multiple variants of a destructive virus. After obtaining a sample set of this virus’ variants and reverse engineering them to understand how they work, a commonality was found. All variants are coded to write to a specific memory location. It is determined this virus is of no threat to the organization because they had the focresight to enable what feature on all endpoints?
Which of the following types of hosts should be operating in the demilitarized zone (DMZ)?
What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?
Which of the following is an authentication protocol in which a new random number is generated uniquely for each login session?
Which Hyper Text Markup Language 5 (HTML5) option presents a security challenge for network data leakage prevention and/or monitoring?
Which of the following is considered best practice for preventing e-mail spoofing?
A disadvantage of an application filtering firewall is that it can lead to
Which security action should be taken FIRST when computer personnel are terminated from their jobs?
When building a data center, site location and construction factors that increase the level of vulnerability to physical threats include
The BEST method of demonstrating a company's security level to potential customers is
Why is a system's criticality classification important in large organizations?
What would be the PRIMARY concern when designing and coordinating a security assessment for an Automatic Teller Machine (ATM) system?
Which of the following statements is TRUE for point-to-point microwave transmissions?
The stringency of an Information Technology (IT) security assessment will be determined by the
Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to estimate the severity of vulnerabilities identified automated vulnerability assessments?
Who in the organization is accountable for classification of data information assets?
Which of the following mobile code security models relies only on trust?
What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?
TESTED 29 Mar 2024
Hi this is Romona Kearns from Holland and I would like to tell you that I passed my exam with the use of exams4sure dumps. I got same questions in my exam that I prepared from your test engine software. I will recommend your site to all my friends for sure.
Our all material is important and it will be handy for you. If you have short time for exam so, we are sure with the use of it you will pass it easily with good marks. If you will not pass so, you could feel free to claim your refund. We will give 100% money back guarantee if our customers will not satisfy with our products.