Cissp 0
Cissp 0
https://www.2passeasy.com/dumps/CISSP/
NEW QUESTION 1
- (Exam Topic 1)
A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning
(BCP). Which of the following failures should the IT manager be concerned with?
A. Application
B. Storage
C. Power
D. Network
Answer: C
NEW QUESTION 2
- (Exam Topic 1)
When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and
27002, when can management responsibilities be defined?
Answer: A
NEW QUESTION 3
- (Exam Topic 1)
Which of the following represents the GREATEST risk to data confidentiality?
Answer: C
NEW QUESTION 4
- (Exam Topic 1)
All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that
Answer: B
NEW QUESTION 5
- (Exam Topic 1)
Which of the following actions will reduce risk to a laptop before traveling to a high risk area?
Answer: D
NEW QUESTION 6
- (Exam Topic 1)
Intellectual property rights are PRIMARY concerned with which of the following?
Answer: D
NEW QUESTION 7
- (Exam Topic 2)
Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?
Answer: C
NEW QUESTION 8
- (Exam Topic 2)
Which of the following is MOST important when assigning ownership of an asset to a department?
Answer: B
NEW QUESTION 9
- (Exam Topic 3)
The use of private and public encryption keys is fundamental in the implementation of which of the following?
A. Diffie-Hellman algorithm
B. Secure Sockets Layer (SSL)
C. Advanced Encryption Standard (AES)
D. Message Digest 5 (MD5)
Answer: A
NEW QUESTION 10
- (Exam Topic 3)
Who in the organization is accountable for classification of data information assets?
A. Data owner
B. Data architect
C. Chief Information Security Officer (CISO)
D. Chief Information Officer (CIO)
Answer: A
NEW QUESTION 10
- (Exam Topic 3)
What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?
A. Implementation Phase
B. Initialization Phase
C. Cancellation Phase
D. Issued Phase
Answer: D
NEW QUESTION 11
- (Exam Topic 4)
An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly
implement a control?
Answer: A
NEW QUESTION 13
- (Exam Topic 4)
Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?
Answer: B
NEW QUESTION 17
- (Exam Topic 4)
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?
A. Transport layer
B. Application layer
C. Network layer
D. Session layer
Answer: A
NEW QUESTION 20
- (Exam Topic 5)
Users require access rights that allow them to view the average salary of groups of employees. Which control would prevent the users from obtaining an individual
employee’s salary?
Answer: C
NEW QUESTION 22
- (Exam Topic 6)
A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation. What MUST an administrator review to audit a user’s
access to data files?
Answer: A
NEW QUESTION 23
- (Exam Topic 6)
Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?
A. Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken
B. Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability
C. Management teams will understand the testing objectives and reputational risk to the organization
D. Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels
Answer: D
NEW QUESTION 27
- (Exam Topic 7)
What would be the MOST cost effective solution for a Disaster Recovery (DR) site given that the organization’s systems cannot be unavailable for more than 24
hours?
A. Warm site
B. Hot site
C. Mirror site
D. Cold site
Answer: A
NEW QUESTION 28
- (Exam Topic 7)
Which of the following is a PRIMARY advantage of using a third-party identity service?
Answer: D
NEW QUESTION 29
- (Exam Topic 7)
A continuous information security monitoring program can BEST reduce risk through which of the following?
Answer: B
NEW QUESTION 32
- (Exam Topic 7)
An organization is found lacking the ability to properly establish performance indicators for its Web hosting solution during an audit. What would be the MOST
probable cause?
Answer: D
NEW QUESTION 35
- (Exam Topic 7)
With what frequency should monitoring of a control occur when implementing Information Security Continuous Monitoring (ISCM) solutions?
Answer: B
NEW QUESTION 38
- (Exam Topic 7)
What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?
Answer: C
NEW QUESTION 42
- (Exam Topic 8)
What is the BEST approach to addressing security issues in legacy web applications?
Answer: D
NEW QUESTION 44
- (Exam Topic 8)
A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected.
What is the MOST probable security feature of Java preventing the program from operating as intended?
A. Least privilege
B. Privilege escalation
C. Defense in depth
D. Privilege bracketing
Answer: A
NEW QUESTION 49
- (Exam Topic 8)
The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle
(SDLC)?
Answer: A
Explanation:
Reference https://online.concordiA.edu/computer-science/system-development-life-cycle-phases/
NEW QUESTION 54
- (Exam Topic 9)
Internet Protocol (IP) source address spoofing is used to defeat
A. address-based authentication.
B. Address Resolution Protocol (ARP).
C. Reverse Address Resolution Protocol (RARP).
D. Transmission Control Protocol (TCP) hijacking.
Answer: A
NEW QUESTION 59
- (Exam Topic 9)
Logical access control programs are MOST effective when they are
Answer: D
NEW QUESTION 60
- (Exam Topic 9)
Copyright provides protection for which of the following?
Answer: B
NEW QUESTION 65
- (Exam Topic 9)
The key benefits of a signed and encrypted e-mail include
Answer: B
NEW QUESTION 66
- (Exam Topic 9)
What technique BEST describes antivirus software that detects viruses by watching anomalous behavior?
A. Signature
B. Inference
C. Induction
D. Heuristic
Answer: D
NEW QUESTION 68
- (Exam Topic 9)
Why is a system's criticality classification important in large organizations?
A. It provides for proper prioritization and scheduling of security and maintenance tasks.
B. It reduces critical system support workload and reduces the time required to apply patches.
C. It allows for clear systems status communications to executive management.
D. It provides for easier determination of ownership, reducing confusion as to the status of the asset.
Answer: A
NEW QUESTION 72
- (Exam Topic 9)
What is the term commonly used to refer to a technique of authenticating one machine to another by forging packets from a trusted source?
Answer: D
NEW QUESTION 77
- (Exam Topic 9)
During an audit of system management, auditors find that the system administrator has not been trained. What actions need to be taken at once to ensure the
integrity of systems?
Answer: D
NEW QUESTION 80
- (Exam Topic 9)
The stringency of an Information Technology (IT) security assessment will be determined by the
Answer: C
NEW QUESTION 82
- (Exam Topic 9)
Including a Trusted Platform Module (TPM) in the design of a computer system is an example of a technique to what?
Answer: D
NEW QUESTION 85
- (Exam Topic 9)
Which one of these risk factors would be the LEAST important consideration in choosing a building site for a new computer facility?
A. Vulnerability to crime
B. Adjacent buildings and businesses
C. Proximity to an airline flight path
D. Vulnerability to natural disasters
Answer: C
NEW QUESTION 90
- (Exam Topic 9)
Multi-threaded applications are more at risk than single-threaded applications to
A. race conditions.
B. virus infection.
C. packet sniffing.
D. database injection.
Answer: A
NEW QUESTION 94
- (Exam Topic 9)
Which of the following is an attacker MOST likely to target to gain privileged access to a system?
Answer: A
NEW QUESTION 96
- (Exam Topic 9)
The process of mutual authentication involves a computer system authenticating a user and authenticating the
Answer: B
NEW QUESTION 98
- (Exam Topic 9)
Which of the following is the best practice for testing a Business Continuity Plan (BCP)?
Answer: B
Answer: C
Answer: A
A. Job rotation
B. Separation of duties
C. Least privilege model
D. Increased monitoring
Answer: B
Answer: A
Answer: A
Answer:
A. The service provider's policies are consistent with ISO/IEC27001 and there is evidence that the service provider is following those policies.
B. The service provider will segregate the data within its systems and ensure that each region's policies are met.
C. The service provider will impose controls and protections that meet or exceed the current systemscontrols and produce audit logs as verification.
D. The service provider's policies can meet the requirements imposed by the new environment even if they differ from the organization's current policies.
Answer: D
Answer: A
Answer: D
A. data integrity.
B. defense in depth.
C. data availability.
D. non-repudiation.
Answer: B
A. Cryptographic checksums
B. Version numbering
C. Automatic updates
D. Vendor assurance
Answer: A
Answer: D
Answer: B
Answer: D
Answer: C
A. Detection
B. Prevention
C. Investigation
D. Correction
Answer: A
Answer: C
Answer: D
A. Production data that is secured and maintained only in the production environment.
B. Test data that has no similarities to production datA.
C. Test data that is mirrored and kept up-to-date with production datA.
D. Production data that has been sanitized before loading into a test environment.
Answer: D
Answer: B
Answer: A
Answer: C
A. Encryption routines
B. Random number generator
C. Obfuscated code
D. Botnet command and control
Answer: C
Answer: B
Answer: D
A. Technical management
B. Change control board
C. System operations
D. System users
Answer: B
- (Exam Topic 9)
Passive Infrared Sensors (PIR) used in a non-climate controlled environment should
Answer: C
A. Passage of time
B. Assigned security label
C. Multilevel Security (MLS) architecture
D. Minimum query size
Answer: A
Answer: B
Answer: C
A. The behavior is ethical because the tool will be used to create a better virus scanner.
B. The behavior is ethical because any experienced programmer could create such a tool.
C. The behavior is not ethical because creating any kind of virus is bad.
D. The behavior is not ethical because such a tool could be leaked on the Internet.
Answer: A
A. Hot site
B. Cold site
C. Warm site
D. Mobile site
Answer: B
Answer: A
Answer: B
Answer: D
Answer: B
A. Non-repudiation
B. Traceability
C. Anonymity
D. Resilience
Answer: C
A. Requirements Analysis
B. Development and Deployment
C. Production Operations
D. Utilization Support
Answer: A
Answer: B
Answer: A
A. default gateway.
B. attacker's address.
C. local interface being attacked.
D. specified source address.
Answer: D
Answer: A
A. Data integrity
B. Access accountability
C. Encryption logging format
D. Segregation of duties
Answer: B
A. Availability
B. Integrity
C. Accountability
D. Confidentiality
Answer: D
Answer: D
A. 802.11i
B. Kerberos
C. Lightweight Directory Access Protocol (LDAP)
D. Security Assertion Markup Language (SAML)
Answer: D
A. Policy database
B. Digital signature
C. Policy decision point
D. Policy enforcement point
Answer: D
Answer: C
Answer: C
A. processes that are identical to that of the organization doing the outsourcing.
B. access to the original personnel that were on staff at the organization.
C. the ability to maintain all of the applications in languages they are familiar with.
D. access to the skill sets consistent with the programming languages used by the organization.
Answer: D
Answer: A
A. System integrity
B. System availability
C. System confidentiality
D. System auditability
Answer: B
A. Forms-based authentication
B. Digest authentication
C. Basic authentication
D. Self-registration
Answer: B
Answer: B
Answer: B
Answer: C
A. Log review
B. Least privilege
C. Password complexity
D. Non-disclosure agreement
Answer: A
A. Plaintext
B. Brute force
C. Power analysis
D. Man-in-the-middle (MITM)
Answer: C
Answer: D
A. Testing phase
B. Development phase
C. Requirements definition phase
D. Operations and maintenance phase
Answer: C
Answer: C
Answer: C
A. Security procedures
B. Security standards
C. Human resource policy
D. Human resource standards
Answer: B
Answer: B
Answer: C
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Answer: C
Answer: D
A. audit scope.
B. auditor's experience level.
C. availability of the datA.
D. integrity of the datA.
Answer: A
Answer: D
A. Hash functions
B. Data segregation
C. File system permissions
D. Non-repudiation controls
Answer: B
A. Brute force
B. Tampering
C. Information disclosure
D. Denial of Service (DoS)
Answer: C
Answer: B
Answer: B
A. Spoofing
B. Eavesdropping
C. Man-in-the-middle
D. Denial of service
Answer: C
A. Availability
B. Confidentiality
C. Integrity
D. Ownership
Answer: C
Answer: B
A. Hierarchical inheritance
B. Dynamic separation of duties
C. The Clark-Wilson security model
D. The Bell-LaPadula security model
Answer: B
Answer: A
Answer: C
Answer: B
A. File allocation
B. Redundancy check
C. Extended validation
D. Policy enforcement
Answer: D
A. A document that expresses an implementation independent set of security requirements for an IT product that meets specific consumer needs.
B. A document that is used to develop an IT security product from its security requirements definition.
C. A document that expresses an implementation dependent set of security requirements which contains only the security functional requirements.
D. A document that represents evaluated products where there is a one-to-one correspondence between a PP and a Security Target (ST).
Answer: A
Answer: A
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Answer: C
A. Onward transfer
B. Collection Limitation
C. Collector Accountability
D. Individual Participation
Answer: B
A. Mastered
B. Not Mastered
Answer: A
Explanation:
A. External
B. Overt
C. Internal
D. Covert
Answer: D
Answer: A
Answer: B
Answer: D
A. Read-through
B. Parallel
C. Full interruption
D. Simulation
Answer: B
Answer: B
A. Application Manager
B. Database Administrator
C. Privacy Officer
D. Finance Manager
Answer: C
Answer: D
A. Encrypts and optionally authenticates the IP header, but not the IP payload
B. Encrypts and optionally authenticates the IP payload, but not the IP header
C. Authenticates the IP payload and selected portions of the IP header
D. Encrypts and optionally authenticates the complete IP packet
Answer: B
A. dig
B. ifconfig
C. ipconfig
D. nbtstat
Answer: A
Answer: C
Answer: B
A. Logging configurations
B. Transaction log files
C. User account configurations
D. Access control lists (ACL)
Answer: B
Answer: B
Answer: A
Answer: A
Answer: C
Answer: B
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Answer: C
A. Mastered
B. Not Mastered
Answer: A
Explanation:
WS-Trust
The protocol used for issuing security tokens is based on WS-Trust. WS-Trust is a Web service specification that builds on WS-Security. It describes a protocol
used for issuance, exchange, and validation of security tokens. WS-Trust provides a solution for interoperability by defining a protocol for issuing and exchanging
security tokens, based on token format, namespace, or trust boundaries.
Reference: https://msdn.microsoft.com/en-us/library/ff650503.aspx
A. Data Redaction
B. Data Minimization
C. Data Encryption
D. Data Storage
Answer: B
Answer: A
Answer: B
Answer: D
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Answer: D
Answer: A
Answer: B
A. Integrity
B. Confidentiality
C. Accountability
D. Availability
Answer: A
Answer: B
A. Parallel
B. Walkthrough
C. Simulation
D. Tabletop
Answer: C
Answer: B
Answer: D
A. After the system preliminary design has been developed and the data security categorization has been performed
B. After the business functional analysis and the data security categorization have been performed
C. After the vulnerability analysis has been performed and before the system detailed design begins
D. After the system preliminary design has been developed and before the data security categorization begins
Answer: B
A. Data Custodian
B. Executive Management
C. Chief Information Security Officer
D. Data/Information/Business Owners
Answer: B
Answer: C
Answer: C
Answer: A
Answer: C
Answer: C
Answer: B
Answer: A
Answer: D
Answer: C
Answer: B
A. Lock pinging
B. Lock picking
C. Lock bumping
D. Lock bricking
Answer: B
Answer: A
Answer: C
Answer: C
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Mandatory Access Control – End user cannot set controls
Discretionary Access Control (DAC) – Subject has total control over objects
Role Based Access Control (RBAC) – Dynamically assigns roles permissions to particular duties based on job function
Rule Based access control – Dynamically assigns roles to subjects based on criteria assigned by a custodian.
A. Kernel
B. Shared libraries
C. Hardware
D. System application
Answer: A
A. Full name
B. Unique identifier
C. Security question
D. Date of birth
Answer: B
Answer: B
A. Transference
B. Covert channel
C. Bleeding
D. Cross-talk
Answer: D
Answer: D
Answer: D
A. organization policy.
B. industry best practices.
C. industry laws and regulations.
D. management feedback.
Answer: A
A. The estimated period of time a business critical database can remain down before customers are affected.
B. The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning
C. The estimated period of time a business can remain interrupted beyond which it risks never recovering
D. The fixed length of time in a DR process before redundant systems are engaged
Answer: C
Answer: B
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Administrative – labeling of sensitive data Technical – Constrained user interface Logical – Biometrics for authentication
Physical – Radio Frequency Identification 9RFID) badge
Answer: A
A. dig
B. ipconfig
C. ifconfig
D. nbstat
Answer: A
Answer: A
Answer: C
Which of the following would BEST describe the role directly responsible for data within an organization?
A. Data custodian
B. Information owner
C. Database administrator
D. Quality control
Answer: A
Answer: D
A. Transport Layer
B. Data-Link Layer
C. Network Layer
D. Application Layer
Answer: C
Answer: C
Answer: C
Answer: D
Answer: D
A. VPN bandwidth
B. Simultaneous connection to other networks
C. Users with Internet Protocol (IP) addressing conflicts
D. Remote users with administrative rights
Answer: B
Answer: C
A. Ownership
B. Confidentiality
C. Availability
D. Integrity
Answer: C
Answer: B
Answer: B
Answer: A
A. Alert data
B. User data
C. Content data
D. Statistical data
Answer:
Answer: D
A. Management support
B. Consideration of organizational need
C. Technology used for delivery
D. Target audience
Answer: B
A. Purpose
B. Cost effectiveness
C. Availability
D. Authenticity
Answer: D
A. Trust
B. Provisioning
C. Authorization
D. Enrollment
Answer: D
Answer: B
Answer: C
Answer: D
A. 25%
B. 50%
C. 75%
D. 100%
Answer: A
Answer: C
Answer: B
Answer: B
A. Stateful firewall
B. Distributed antivirus
C. Log analysis
D. Passive honeypot
Answer: A
Answer: B
Answer: B
Answer: D
Answer: A
Answer: C
Explanation:
Section: Security Assessment and Testing
Answer: D
A. Compartmentalization
B. Segmentation
C. Error correction
D. Virtual Local Area Network (VLAN) tagging
Answer: B
Answer: A
Answer: A
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Risk - A measure of the extent to which an entity is threatened by a potential circumstance of event, the adverse impacts that would arise if the circumstance or
event occurs, and the likelihood of occurrence.
Protection Needs Assessment - The method used to identify the confidentiality, integrity, and availability requirements for organizational and system assets and to
characterize the adverse impact or consequences should be asset be lost, modified, degraded, disrupted, compromised, or become unavailable.
Threat assessment - The method used to identify and characterize the dangers anticipated throughout the life cycle of the system.
Security Risk Treatment - The method used to identify feasible security risk mitigation options and plans.
A. Achieving Service Level Agreements (SLA) on how quickly patches will be released when a security flaw is found.
B. Maintaining segregation of duties.
C. Standardized configurations for logging, alerting, and security metrics.
D. Availability of security teams at the end of design process to perform last-minute manual audits and reviews.
Answer: B
A. Application authentication
B. Input validation
C. Digital signing
D. Device encryption
Answer: C
Answer: C
A. System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements
B. Data stewardship roles, data handling and storage standards, data lifecycle requirements
C. Compliance office roles and responsibilities, classified material handling standards, storage system lifecycle requirements
D. System authorization roles and responsibilities, cloud computing standards, lifecycle requirements
Answer: A
A. Large mantrap where groups of individuals leaving are identified using facial recognition technology
B. Radio Frequency Identification (RFID) sensors worn by each employee scanned by sensors at each exitdoor
C. Emergency exits with push bars with coordinates at each exit checking off the individual against a predefined list
D. Card-activated turnstile where individuals are validated upon exit
Answer: B
Explanation:
Section: Security Operations
A. Purging
B. Encryption
C. Destruction
D. Clearing
Answer: A
Answer: A
Answer: B
Answer: B
A. Implementation
B. Initiation
C. Review
D. Development
Answer: A
Answer: A
Answer: D
Answer: C
Answer: A
Explanation:
Section: Security Assessment and Testing
Answer: A
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Answer: C
A. Input protocols
B. Target processes
C. Error messages
D. Access rights
Answer: C
Explanation:
Section: Security Assessment and Testing
A. Awareness activities should be used to focus on security concerns and respond to those concerns accordingly
B. Awareness is not an activity or part of the training but rather a state of persistence to support the program
C. Awareness is trainin
D. The purpose of awareness presentations is to broaden attention of security.
E. Awareness is not trainin
F. The purpose of awareness presentation is simply to focus attention on security.
Answer: C
Answer: C
Explanation:
Section: Security Operations
Answer: C
A. Memory review
B. Code review
C. Message division
D. Buffer division
Answer: B
A. Security vulnerabilities
B. Risk tolerance
C. Risk mitigation
D. Security staff
Answer: C
A. annually
B. to correspond with staff promotions
C. to correspond with terminations
D. continually
Answer: A
A. Security manager
B. System owner
C. Data owner
D. Data processor
Answer: B
Explanation:
Section: Security Operations
Answer: D
A. Forces Transmission Control Protocol /Internet Protocol (TCP/IP) connections into a reset state
B. Establishes many new Transmission Control Protocol / Internet Protocol (TCP/IP) connections
C. Empties the queue of pending Transmission Control Protocol /Internet Protocol (TCP/IP) requests
D. Exceeds the limits for new Transmission Control Protocol /Internet Protocol (TCP/IP) connections
Answer: B
A. Trusted platforms
B. Host-based firewalls
C. Token-based authentication
D. Wireless Access Points (AP)
Answer: A
A. Erase
B. Sanitize
C. Encrypt
D. Degauss
Answer: B
Answer: C
Answer: D
A. Configuration
B. Identity
C. Compliance
D. Patch
Answer: A
Answer: A
Explanation:
Section: Security Assessment and Testing
A. Application proxy
B. Port filter
C. Network boundary router
D. Access layer switch
Answer: A
A. Network availability
B. Node locations
C. Network bandwidth
D. Data integrity
Answer: C
Answer: A
A. Gratuitous ARP requires the use of Virtual Local Area Network (VLAN) 1.
B. Gratuitous ARP requires the use of insecure layer 3 protocols.
C. Gratuitous ARP requires the likelihood of a successful brute-force attack on the phone.
D. Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM) attack.
Answer: D
Answer: A
Answer: B
Visit Our Site to Purchase the Full Set of Actual CISSP Exam Questions With Answers.
We Also Provide Practice Exam Software That Simulates Real Exam Environment And Has Many Self-Assessment Features. Order the
CISSP Product From:
https://www.2passeasy.com/dumps/CISSP/
* CISSP Most Realistic Questions that Guarantee you a Pass on Your FirstTry
* CISSP Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year