CISSP 2024 Practice Exam Questions and Answers

Domain 1: Security and Risk Management (16%)

1. What does the term ‘residual risk’ refer to?
A) The risk that remains after all mitigation efforts have been applied
B) The risk that is completely eliminated
C) The risk that is transferred to another party
D) The risk that is accepted by the organization
Answer: A) The risk that remains after all mitigation efforts have been applied
Explanation: Residual risk refers to the risk that persists even after all mitigation and
control measures have been implemented. It is the remaining exposure that an
organization must manage, accept, or transfer as part of its risk management strategy.
2. After identifying a fraud incident, a security professional seeks to
implement policies to reduce fraud and prevent employee collusion. Which of
the following controls is the MOST effective in detecting and preventing similar
fraud in the future?
A) Job rotation
B) Least privilege
C) Mandatory vacation
D) Separation of duties
Answer: A) Job rotation
Explanation: Job rotation is effective in detecting and preventing fraud as it involves
periodically moving employees to different roles within the organization.
3. InfosecTrain recently migrated its services and storage to the cloud. As a
security consultant, you notice employees store business documents on public
cloud storage, creating a risk. You conduct a mandatory training session to
teach staff proper cloud storage practices. Which risk treatment approach
does this represent?
A) Risk Avoidance
B) Risk Transfer
C) Risk Mitigation
D) Risk Acceptance
Answer: C) Risk Mitigation
Explanation: Conducting a training session to teach staff proper cloud storage
practices is an example of risk mitigation. This approach reduces the likelihood and
impact of the risk by implementing measures to address the identified issue, in this
case, educating employees on safe cloud storage practices.
4. Which of the following frameworks is widely used for risk management in
information security?
A) ISO/IEC 27005
B) ITIL
C) COBIT
D) TOGAF
Answer: A) ISO/IEC 27005
Explanation: ISO/IEC 27005 is a global standard offering guidelines for managing
information security risks.
5. According to an enterprise security policy, all systems must use passwords
that are at least eight characters long. However, this policy does not apply to
two systems on the network. One of these systems will be upgraded in four
months, while the other will neither be upgraded nor removed from the
network. What procedure should be carried out for these systems?
A) Provide a business reason for risk mitigation
B) Provide a business justification for risk avoidance
C) Provide a business justification for risk acceptance
D) Provide a business justification for risk transfer
Answer: C) Provide a business justification for risk acceptance
Explanation: Since one system will be upgraded soon and the other will remain as is,
the organization must acknowledge the risk and justify why it is acceptable to operate
with these systems despite non-compliance with the password policy.
Domain 2: Asset Security (10%)
1. InfosecTrain is expanding its operations and considering storing and
processing customers’ personal information in different countries. The
company’s compliance officer reviews various data protection laws to ensure
compliance. To which country does the Personal Information Protection and
Electronic Documents Act (PIPEDA) apply, and what key principles must
InfosecTrain adhere to under this act?
A) United States; consent, accountability, limited collection, and safeguards.
B) Canada; accountability, identifying purposes, consent, limited collection, limited use,
disclosure, retention, accuracy, safeguards, openness, individual access, and challenging
compliance.
C) Australia; openness, access and correction, data quality, data security, and identifiers.
D) United Kingdom; lawfulness, fairness and transparency, purpose limitation, data
minimization, accuracy, storage limitation, integrity and confidentiality, and
accountability.
Answer: B) Canada; accountability, identifying purposes, consent, limited collection,
limited use, disclosure, retention, accuracy, safeguards, openness, individual access, and
challenging compliance.
Explanation: PIPEDA applies to Canada and outlines key principles for handling
personal information in a fair and transparent manner.
2. What is the primary objective of data classification within an organization?
A) To facilitate interoperability and ensure data is only stored on cloud platforms.
B) To assign monetary value to data and determine the cost of storing and processing
data.
C) To determine appropriate handling and allocate the necessary security to manage
data.
D) To enable data deduplication and optimize the organization’s data storage capacity.
Answer: C) To determine appropriate handling and allocate the necessary security to
manage data.
Explanation: The primary objective of data classification is to determine the
appropriate handling and security measures for data based on its sensitivity and
importance.
3. Which of the following is the least effective method of data deletion and
may allow data to be recovered with special software?
A) Clearing
B) Purging
C) Destroying
D) Furnishing
Answer: A) Clearing
Explanation: Clearing is the process of removing data in such a way that it can be
recovered with special software or techniques. While it may seem that the data is
deleted, it often leaves traces that can be reconstructed.
 4. Which of the following statements accurately describes end-to-end
encryption?
A) The data is decrypted in the middle of the communications channel.
B) The routing information is encrypted along with the data.
C) The data remain encrypted until they are decrypted at the remote end.
D) End-to-end encryption is generally performed by an external entity.
Answer: C) The data remain encrypted until they are decrypted at the remote end.
Explanation: End-to-end encryption encrypts data at the sender’s end and keeps it
encrypted throughout its transmission over the network, only decrypting it upon arrival
at the intended recipient.
5. Which media sanitization method involves removing sensitive data from a
system or storage device so thoroughly that the data cannot be reconstructed
by any known technique?
A) Clearing
B) Purging
C) Destruction
D) Cryptoshredding
Answer: C) Destruction
Explanation: Destruction is the process of physically
damaging a storage device so that the data it
contains cannot be reconstructed or retrieved by
any known technique.
Domain 3: Security Architecture and Engineering
(13%)
1. Which of the following security models was first
enhanced by US Department of Defense security
rules and the requirement to demonstrate that
secrecy could be maintained?
A) Bell-LaPadula
B) Biba Model
C) Clark-Wilson Model
D) Brewer-Nash Model
Answer: A) Bell-LaPadula
Explanation: The Bell-LaPadula model focuses on maintaining data confidentiality in
computer systems. It is based on three primary rules designed to prevent unauthorized
access to classified information.
 Simple Security Property (SS property): No read-up.
 Star Property (property): No write-down.
 Strong Star Property Rule: Same security level.
2. Which type of security model uses labels to keep track of clearances and
classifications and implements a set of rules to limit interactions between
different types of subjects and objects?
A) Bell-LaPadula
B) Biba Model
C) Clark-Wilson Model
D) Brewer-Nash Model (Chinese Wall)
Answer: A) Bell-LaPadula
Explanation: The Bell-LaPadula model uses security labels to manage clearances and
classifications of subjects (users) and objects (data). It enforces rules to ensure that
users can only access information for which they have the appropriate clearance level,
thereby maintaining data confidentiality and limiting interactions to prevent
unauthorized access.
3. Which of the following is not one of the rules of the Bell-LaPadula Security
Model?
A) Simple Security Property (SS property): Sometimes referred to as no read-up
B) Star Property (* property): Sometimes referred to as no write-down
C) Strong star property rule
D) Invocation property
Answer: D) Invocation property
V The Bell-LaPadula model includes the Simple Security Property (no read-up), the Star
Property (no write-down), and the Strong Star Property Rule. The Invocation Property is
not part of the model.
4. With the Bell-LaPadula Security Model, security policies prevent information
from flowing downwards from?
A) Low security level
B) High security level
C) Medium security level
D) Neutral security level
Answer: B) High security level
Explanation: The Bell-LaPadula Security Model enforces a “no write down” policy,
ensuring that information cannot be transferred from a higher security level to a lower
one.
Domain 4: Communication and Network Security
(13%)
1. During a network security audit, it was discovered that sensitive data was
being transmitted over the network in plain text. What is the best way to
secure data in transit?
A) Use stronger passwords
B) Implement data encryption protocols such as SSL/TLS
C) Increase the complexity of network firewall rules
D) Restrict network access to certain users
Answer: B) Implement data encryption protocols such as SSL/TLS
Explanation: These protocols encrypt data as it travels over the network, ensuring that
it cannot be easily intercepted or read by unauthorized parties.
2. What is a Demilitarized Zone (DMZ) in network security?
A) A secure internal network for sensitive data
B) A subnetwork that separates internal networks from external networks
C) A zone where all network traffic is encrypted
D) A virtual network for remote access
Answer: B) A subnetwork that separates internal networks from external networks
Explanation: A Demilitarized Zone (DMZ) is a subnetwork that separates an
organization’s internal network from untrusted external networks, such as the Internet. It
is a buffer zone that hosts external-facing services, such as web and mail servers while
safeguarding the internal network from direct exposure to potential threats.
3. A security analyst receives an alert from the Intrusion Detection System
(IDS) indicating unusual traffic patterns from an internal IP address. What
should be the first step in investigating this alert?
A) Ignore the alert since it’s an internal IP address
B) Block the internal IP address immediately
C) Isolate the affected system and conduct a detailed analysis
D) Inform all employees about the alert
Answer: C) Isolate the affected system and conduct a detailed analysis
Explanation: The first step should be to isolate the affected system to prevent any
potential spread of malicious activity, and then conduct a detailed analysis to determine
the nature and cause of the unusual traffic patterns.

4. What does WPA2 provide for wireless networks?

A) Data encryption
B) Network segmentation
C) Device authentication
D) Traffic monitoring
Answer: A) Data encryption
Explanation: WPA2 (Wi-Fi Protected Access 2) provides data encryption for wireless
networks. It uses the AES (Advanced Encryption Standard) protocol to secure
communications, ensuring that data transmitted over the wireless network is secured
from unauthorized access.

5. What is the purpose of a honeypot in network security?

A) To store backup data securely
B) To lure and detect unauthorized access or attacks on a network
C) To provide additional bandwidth to the network
D) To manage and configure network devices
Answer: B) To lure and detect unauthorized access or attacks on a network
Explanation: A honeypot is a security mechanism set up to attract and detect
unauthorized access or attacks on a network.

Top CISSP 2024 Exam Practice

Questions and Answers (Domains 1-4)
Author by: Pooja Rawat

Sep 27, 2024 3341

Are you preparing for the CISSP exam and wondering what types of questions you will
face? The CISSP certification is a highly respected credential in cybersecurity, known for
its challenging and comprehensive exam. To help you succeed, we’ve compiled a guide
with commonly asked CISSP exam questions and detailed answers. This article provides
commonly asked CISSP exam questions and answers, breaking down complex concepts
into simple, easy-to-understand terms to make your study process more efficient.
Whether you are just starting or reinforcing your knowledge, these CISSP practice
questions will boost your confidence and readiness.
The CISSP 2024 certification exam tests your knowledge in eight domains of the (ISC)²
CISSP Common Body of Knowledge (CBK):
Domain 1: Security and Risk Management (16%)
Domain 2: Asset Security (10%)
Domain 3: Security Architecture and Engineering (13%)
Domain 4: Communication and Network Security (13%)
Domain 5: Identity and Access Management (IAM) (13%)
Domain 6: Security Assessment and Testing (12%)
Domain 7: Security Operations (13%)
Domain 8: Software Development Security (10%)
A thorough understanding of each domain is essential for passing this esteemed
certification exam.
CISSP 2024 Practice Exam Questions and Answers
Domain 1: Security and Risk Management (16%)
1. What does the term ‘residual risk’ refer to?
A) The risk that remains after all mitigation efforts have been applied
B) The risk that is completely eliminated
C) The risk that is transferred to another party
D) The risk that is accepted by the organization
Answer: A) The risk that remains after all mitigation efforts have been applied
Explanation: Residual risk refers to the risk that persists even after all mitigation and
control measures have been implemented. It is the remaining exposure that an
organization must manage, accept, or transfer as part of its risk management strategy.
2. After identifying a fraud incident, a security professional seeks to
implement policies to reduce fraud and prevent employee collusion. Which of
the following controls is the MOST effective in detecting and preventing similar
fraud in the future?
A) Job rotation
B) Least privilege
C) Mandatory vacation
D) Separation of duties
Answer: A) Job rotation
Explanation: Job rotation is effective in detecting and preventing fraud as it involves
periodically moving employees to different roles within the organization.
3. InfosecTrain recently migrated its services and storage to the cloud. As a
security consultant, you notice employees store business documents on public
cloud storage, creating a risk. You conduct a mandatory training session to
teach staff proper cloud storage practices. Which risk treatment approach
does this represent?
A) Risk Avoidance
B) Risk Transfer
C) Risk Mitigation
D) Risk Acceptance
Answer: C) Risk Mitigation
Explanation: Conducting a training session to teach staff proper cloud storage
practices is an example of risk mitigation. This approach reduces the likelihood and
impact of the risk by implementing measures to address the identified issue, in this
case, educating employees on safe cloud storage practices.
4. Which of the following frameworks is widely used for risk management in
information security?
A) ISO/IEC 27005
B) ITIL
C) COBIT
D) TOGAF
Answer: A) ISO/IEC 27005
Explanation: ISO/IEC 27005 is a global standard offering guidelines for managing
information security risks.
5. According to an enterprise security policy, all systems must use passwords
that are at least eight characters long. However, this policy does not apply to
two systems on the network. One of these systems will be upgraded in four
months, while the other will neither be upgraded nor removed from the
network. What procedure should be carried out for these systems?
A) Provide a business reason for risk mitigation
B) Provide a business justification for risk avoidance
C) Provide a business justification for risk acceptance
D) Provide a business justification for risk transfer
Answer: C) Provide a business justification for risk acceptance
Explanation: Since one system will be upgraded soon and the other will remain as is,
the organization must acknowledge the risk and justify why it is acceptable to operate
with these systems despite non-compliance with the password policy.
Domain 2: Asset Security (10%)
1. InfosecTrain is expanding its operations and considering storing and
processing customers’ personal information in different countries. The
company’s compliance officer reviews various data protection laws to ensure
compliance. To which country does the Personal Information Protection and
Electronic Documents Act (PIPEDA) apply, and what key principles must
InfosecTrain adhere to under this act?
A) United States; consent, accountability, limited collection, and safeguards.
B) Canada; accountability, identifying purposes, consent, limited collection, limited use,
disclosure, retention, accuracy, safeguards, openness, individual access, and challenging
compliance.
C) Australia; openness, access and correction, data quality, data security, and identifiers.
D) United Kingdom; lawfulness, fairness and transparency, purpose limitation, data
minimization, accuracy, storage limitation, integrity and confidentiality, and
accountability.
Answer: B) Canada; accountability, identifying purposes, consent, limited collection,
limited use, disclosure, retention, accuracy, safeguards, openness, individual access, and
challenging compliance.
Explanation: PIPEDA applies to Canada and outlines key principles for handling
personal information in a fair and transparent manner.
2. What is the primary objective of data classification within an organization?
A) To facilitate interoperability and ensure data is only stored on cloud platforms.
B) To assign monetary value to data and determine the cost of storing and processing
data.
C) To determine appropriate handling and allocate the necessary security to manage
data.
D) To enable data deduplication and optimize the organization’s data storage capacity.
Answer: C) To determine appropriate handling and allocate the necessary security to
manage data.
Explanation: The primary objective of data classification is to determine the
appropriate handling and security measures for data based on its sensitivity and
importance.
3. Which of the following is the least effective method of data deletion and
may allow data to be recovered with special software?
A) Clearing
B) Purging
C) Destroying
D) Furnishing
Answer: A) Clearing
Explanation: Clearing is the process of removing data in such a way that it can be
recovered with special software or techniques. While it may seem that the data is
deleted, it often leaves traces that can be reconstructed.
4. Which of the following statements accurately describes end-to-end
encryption?
A) The data is decrypted in the middle of the communications channel.
B) The routing information is encrypted along with the data.
C) The data remain encrypted until they are decrypted at the remote end.
D) End-to-end encryption is generally performed by an external entity.
Answer: C) The data remain encrypted until they are decrypted at the remote end.
Explanation: End-to-end encryption encrypts data at the sender’s end and keeps it
encrypted throughout its transmission over the network, only decrypting it upon arrival
at the intended recipient.
5. Which media sanitization method involves removing sensitive data from a
system or storage device so thoroughly that the data cannot be reconstructed
by any known technique?
A) Clearing
B) Purging
C) Destruction
D) Cryptoshredding
Answer: C) Destruction
Explanation: Destruction is the process of physically
damaging a storage device so that the data it
contains cannot be reconstructed or retrieved by
any known technique.
Domain 3: Security Architecture and Engineering
(13%)
1. Which of the following security models was first
enhanced by US Department of Defense security
rules and the requirement to demonstrate that
secrecy could be maintained?
A) Bell-LaPadula
B) Biba Model
C) Clark-Wilson Model
D) Brewer-Nash Model
Answer: A) Bell-LaPadula
Explanation: The Bell-LaPadula model focuses on maintaining data confidentiality in
computer systems. It is based on three primary rules designed to prevent unauthorized
access to classified information.
 Simple Security Property (SS property): No read-up.
 Star Property (property): No write-down.
 Strong Star Property Rule: Same security level.
2. Which type of security model uses labels to keep track of clearances and
classifications and implements a set of rules to limit interactions between
different types of subjects and objects?
A) Bell-LaPadula
B) Biba Model
C) Clark-Wilson Model
D) Brewer-Nash Model (Chinese Wall)
Answer: A) Bell-LaPadula
Explanation: The Bell-LaPadula model uses security labels to manage clearances and
classifications of subjects (users) and objects (data). It enforces rules to ensure that
users can only access information for which they have the appropriate clearance level,
thereby maintaining data confidentiality and limiting interactions to prevent
unauthorized access.
3. Which of the following is not one of the rules of the Bell-LaPadula Security
Model?
A) Simple Security Property (SS property): Sometimes referred to as no read-up
B) Star Property (* property): Sometimes referred to as no write-down
C) Strong star property rule
D) Invocation property
Answer: D) Invocation property
V The Bell-LaPadula model includes the Simple Security Property (no read-up), the Star
Property (no write-down), and the Strong Star Property Rule. The Invocation Property is
not part of the model.
4. With the Bell-LaPadula Security Model, security policies prevent information
from flowing downwards from?
A) Low security level
B) High security level
C) Medium security level
D) Neutral security level
Answer: B) High security level
Explanation: The Bell-LaPadula Security Model enforces a “no write down” policy,
ensuring that information cannot be transferred from a higher security level to a lower
one.
Domain 4: Communication and Network Security
(13%)
1. During a network security audit, it was discovered that sensitive data was
being transmitted over the network in plain text. What is the best way to
secure data in transit?
A) Use stronger passwords
B) Implement data encryption protocols such as SSL/TLS
C) Increase the complexity of network firewall rules
D) Restrict network access to certain users
Answer: B) Implement data encryption protocols such as SSL/TLS
Explanation: These protocols encrypt data as it travels over the network, ensuring that
it cannot be easily intercepted or read by unauthorized parties.
2. What is a Demilitarized Zone (DMZ) in network security?
A) A secure internal network for sensitive data
B) A subnetwork that separates internal networks from external networks
C) A zone where all network traffic is encrypted
D) A virtual network for remote access
Answer: B) A subnetwork that separates internal networks from external networks
Explanation: A Demilitarized Zone (DMZ) is a subnetwork that separates an
organization’s internal network from untrusted external networks, such as the Internet. It
is a buffer zone that hosts external-facing services, such as web and mail servers while
safeguarding the internal network from direct exposure to potential threats.
3. A security analyst receives an alert from the Intrusion Detection System
(IDS) indicating unusual traffic patterns from an internal IP address. What
should be the first step in investigating this alert?
A) Ignore the alert since it’s an internal IP address
B) Block the internal IP address immediately
C) Isolate the affected system and conduct a detailed analysis
D) Inform all employees about the alert
Answer: C) Isolate the affected system and conduct a detailed analysis
Explanation: The first step should be to isolate the affected system to prevent any
potential spread of malicious activity, and then conduct a detailed analysis to determine
the nature and cause of the unusual traffic patterns.
4. What does WPA2 provide for wireless networks?
A) Data encryption
B) Network segmentation
C) Device authentication
D) Traffic monitoring
Answer: A) Data encryption
Explanation: WPA2 (Wi-Fi Protected Access 2) provides data encryption for wireless
networks. It uses the AES (Advanced Encryption Standard) protocol to secure
communications, ensuring that data transmitted over the wireless network is secured
from unauthorized access.
5. What is the purpose of a honeypot in network security?
A) To store backup data securely
B) To lure and detect unauthorized access or attacks on a network
C) To provide additional bandwidth to the network
D) To manage and configure network devices
Answer: B) To lure and detect unauthorized access or attacks on a network
Explanation: A honeypot is a security mechanism set up to attract and detect
unauthorized access or attacks on a network.

CISSP 2024 Practice Exam Questions and Answers

Domain 5: Identity and Access Management (IAM)
(13%)
1. A company has discovered that an employee has been using a colleague’s
credentials to access sensitive information. What immediate action should the
company take to address this issue?
A) Ignore the issue as it is an internal matter
B) Terminate both employees involved
C) Conduct an investigation and enforce strict access control policies
D) Disable all user accounts temporarily
Answer: C) Conduct an investigation and enforce strict access control policies
Explanation: The first step is to conduct a comprehensive investigation to identify the
scope of the issue and assess any potential impacts or unauthorized access.
2. What is the purpose of a Single Sign-On (SSO) system?
A) To provide multi-factor authentication
B) To allow users to authenticate once and gain access to multiple systems
C) To monitor user activity on the network
D) To encrypt user passwords
Answer: B) To allow users to authenticate once and gain access to multiple systems
Explanation: A Single Sign-On (SSO) system allows users to authenticate once and
access multiple systems or applications without the need to log in separately for each,
streamlining the user experience and enhancing security by minimizing the number of
credentials to manage.
3. A healthcare organization needs to ensure that only authorized personnel
can access patient records. What access control mechanism should be
implemented to meet this requirement?
A) Role-Based Access Control (RBAC)
B) Discretionary Access Control (DAC)
C) Mandatory Access Control (MAC)
D) Open Access Control
Answer: A) Role-Based Access Control (RBAC)
Explanation: Role-Based Access Control (RBAC) is an effective access control
mechanism that assigns permissions to users based on their roles within the
organization. This ensures that only authorized personnel can access information based
on their specific job functions and responsibilities.
4. What is the main benefit of implementing a federated identity management
system?
A) It improves password security
B) It allows multiple organizations to share and manage user identities
C) It provides real-time monitoring of user activities
D) It enables single sign-on for internal applications only
Answer: B) It allows multiple organizations to share and manage user identities
Explanation: Federated identity management allows multiple organizations to share
and manage user identities across systems and domains, facilitating seamless access to
resources while maintaining security and trust relationships between the organizations.
5. What is the purpose of user provisioning in IAM?
A) To monitor user activity
B) To assign and manage user access rights and permissions
C) To encrypt user data
D) To provide training for new users
Answer: B) To assign and manage user access rights and permissions
Explanation: User provisioning in Identity and Access Management (IAM) involves
assigning and managing user access rights and permissions, ensuring that users have
the appropriate access to systems and resources based on their roles and
responsibilities within the organization.
Domain 6: Security Assessment and Testing (12%)
1. What is the primary objective of a vulnerability assessment?
A) To encrypt data transmissions
B) To identify and quantify security vulnerabilities in a system
C) To provide user access controls
D) To monitor network traffic for suspicious activity
Answer: B) To identify and quantify security vulnerabilities in a system
Explanation: The purpose of a vulnerability assessment is to detect and quantify
security weaknesses within a system, enabling organizations to assess their security
status and prioritize efforts to mitigate potential risks.
2. What is an important aspect of conducting a security audit?
A) Encrypting all data during transmission
B) Reviewing and evaluating the effectiveness of security policies and controls
C) Providing training for end-users
D) Monitoring network traffic for real-time threats
Answer: B) Reviewing and evaluating the effectiveness of security policies and controls
Explanation: An important aspect of conducting a security audit is reviewing and
evaluating the effectiveness of security policies and controls. This process ensures that
the security measures in place are functioning as intended and helps identify any gaps
or areas for improvement.
3. What is the purpose of a security baseline?
A) To provide a set of minimum security standards for systems and devices
B) To monitor real-time network traffic
C) To develop new encryption algorithms
D) To conduct penetration testing
Answer: A) To provide a set of minimum security standards for systems and devices
Explanation: A security baseline establishes the minimum security requirements for
systems and devices. It establishes a foundational level of security that must be met to
ensure consistent protection across the organization.
4. A multinational corporation has multiple data centers worldwide. During a
natural disaster, one of the data centers is completely destroyed. Which type
of site should the company use to ensure minimal downtime and continued
operations?
A) Cold site
B) Warm site
C) Hot site
D) Mobile site
Answer: Hot site
Explanation: A hot site is a fully functional offsite data center equipped with essential
hardware, software, and data, ready to assume operations promptly in case the primary
site is unavailable.
Domain 7: Security Operations (13%)
1. Which of the following is a key component of a business continuity plan
(BCP)?
A) Network segmentation
B) Data encryption
C) Disaster recovery plan
D) Vulnerability scanning
Answer: C) Disaster recovery plan
Explanation: A disaster recovery plan outlines the procedures and processes to recover
and restore operations after a disaster or disruption, ensuring the continuity of business
operations.
2. What is the main purpose of conducting a tabletop exercise?
A) To train employees on how to use new software
B) To simulate a security incident and assess how well the incident response plan
performs
C) To perform a full-scale test of the disaster recovery plan
D) To assess network performance
Answer: B) To simulate a security incident and assess how well the incident response
plan performs
Explanation: The main purpose of conducting a tabletop exercise is to simulate a
security incident and evaluate the effectiveness of the incident response plan.
3. Which of the following best describes a cold site in disaster recovery
planning?
A) A backup site that is fully operational with all necessary hardware and software
B) A site with only the basic infrastructure and no equipment or data
C) A site that is used for data archiving and storage
D) A location where network traffic is monitored
Answer: B) A site with only the basic infrastructure and no equipment or data
Explanation: A cold site is a backup site with only the basic infrastructure, such as
power and environmental controls, but without any equipment or data. It requires
additional setup before it can be used for business operations, making it less expensive
but slower to activate in the event of a disaster.
4. Why do security operations conduct root cause analysis (RCA)?
A) To identify the primary reason for a security incident and prevent its recurrence
B) To monitor network traffic for suspicious activity
C) To develop new security policies
D) To perform vulnerability assessments
Answer: A) To identify the primary reason for a security incident and prevent its
recurrence
Explanation: Root cause analysis (RCA) in security operations aims to pinpoint the
main cause of a security incident and enact preventive measures to enhance the
organization’s security stance, thereby lowering the risk of similar incidents occurring
again.
Domain 8: Software Development Security (10%)
1. Which of the following describes the concept of “defense in depth” in
software development security?
A) Using multiple layers of security controls to protect software
B) Implementing only one strong security measure to save resources
C) Relying on the operating system to provide all necessary security
D) Allowing end users to choose their own security settings
Answer: A) Using multiple layers of security controls to protect software
Explanation: “Defense in depth” involves implementing multiple layers of security
controls to safeguard software, ensuring that even if one control is compromised, others
will continue to provide protection.
2. What is a common method to protect sensitive data in software
applications?
A) Using plain text storage for ease of access
B) Encrypting the data at rest and in transit
C) Storing sensitive data in user profiles
D) Avoiding the use of access controls
Answer: B) Encrypting the data at rest and in transit
Explanation: Encrypting data both at rest and in transit is a widely used and highly
effective method to safeguard sensitive information, ensuring its security whether stored
or during transmission.
3. What is the purpose of static application security testing (SAST)?
A) To test the application’s performance under load
B) To identify security vulnerabilities in the source code without executing the program
C) To monitor network traffic for threats
D) To encrypt data transmissions
Answer: B) To identify security vulnerabilities in the source code without executing the
program
Explanation: Static Application Security Testing (SAST) examines source code to detect
security vulnerabilities without executing the program, allowing developers to resolve
issues early in the development process.
4. An organization is developing a cloud-based application that must comply
with data privacy regulations. What steps should the development team take
to ensure compliance and protect user data?
A) Store all user data in a local database
B) Implement encryption, access controls, and regular audits
C) Use only open-source software
D) Disable user logging to protect privacy
Answer: B) Implement encryption, access controls, and regular audits
Explanation: To ensure compliance with data privacy regulations and protect user
data, the development team should implement encryption, access controls, and regular
audits. These steps help secure the data and ensure adherence to regulatory
requirements.