Practice Assessment

Practice Assessment

1. Alice runs a small online retail company; many of her customers are from the United
States. Currently, she accepts only blockchain-based payment, but she is considering the
use of credit cards. After investigating Payment Card Industry Data Security Standard (PCI
DSS) requirements, she decides that the cost of compliance would outweigh the additional
revenue. Which of the following best describes this decision?
A. Social engineering
B. PCI DSS Merchant Level 3
C. Card verification value (CVV)
D. Risk avoidance
The correct answer is D. This is a perfect example of risk avoidance; senior management
has determined that a line of business is not compatible with strategic goals because the
reward does not compensate for the risk.

2. According to the (ISC)2 ethics policy, complaints must be submitted ________.

A. through the (ISC)2 website
B. in writing
C. anonymously
D. within one year of the accused infraction
The correct answer is B. (ISC)2 requires the use of the (ISC)2 complaint form as a sworn
affidavit.

3. The business impact analysis (BIA) should consider all of the following except:
A. The value of the organization’s assets
B. Industry standards
C. Threats specific to the organization
D. The likelihood of loss
The correct answer is B. Industry standards don’t really play a part in the organization’s
determination of its own BIA; all the other answers are elements that should be
considered in BIA formulation.

1 CISSP Practice Assessment 1

 Practice Assessment

4. The _______ is the length of time an organization can suffer the loss of its critical path
before ceasing to be a viable enterprise.
A. recovery time objective (RTO)
B. recovery point objective (RPO)
C. maximum allowable downtime (MAD)
D. annual loss expectancy (ALE)
The correct answer is C. This is the definition of the MAD.

5. Which of the following security instruction options offers the most potential for real-time
feedback?
A. Computer-based training
B. Rote memorization
C. Live training
D. Reward mechanisms
The correct answer is C. A live instructor in a classroom setting provides the best
opportunity for feedback.

6. Which of the following is a formal, detailed description of the responsibilities between an

organization and an employee?
A. Nondisclosure agreement (NDA)
B. Employment contract
C. Acceptable use policy (AUP)
D. Security policy
The correct answer is B. This is the definition of an employment contract.

7. Which of the following is promulgated by senior management and outlines the

organization’s strategic vision and goals?
A. Policy
B. Procedures
C. Guidelines
D. Standards
The correct answer is A. This is the definition of policy.

2 CISSP Practice Assessment 2

 Practice Assessment

8. Which of the following entities is the individual human associated with a particular set of
personally identifiable information (PII)?
A. Data owner
B. Data controller
C. Data subject
D. Data processor
The correct answer is C. This is the definition of the data subject.

9. Organizations in which of the following countries are not allowed to process EU citizen
personal data?
A. Germany
B. Argentina
C. Singapore
D. United States
The correct answer is D. The United States does not have an overarching federal law that
is compliant with the General Data Protection Regulation (GDPR), the EU law governing
personal privacy; therefore, organizations in the United States, with certain exceptions,
are not allowed to process personal data of EU citizens.

10. Which of the following is not a common trait of DRM solutions?

A. Persistence
B. Continuous audit trail
C. Automatic expiration
D. Virtual licensing
The correct answer is D. “Virtual licensing” is not a term with any meaning, and it is just a
distractor in this context.

11. All of the following are common intellectual property licensing options except:
A. Site license
B. Creative commons
C. Shareware
D. Trademark
The correct answer is D. Trademark is not a licensing option; it is a legal protection for
certain types of intellectual property (usually logos/symbols).

3 CISSP Practice Assessment 3

 Practice Assessment

12. What is the term for the criminal practice of extorting victims by encrypting their data?
A. Malware
B. Hacktivism
C. Ransomware
D. Trojan horse
The correct answer is C. This is the definition of ransomware; the other answers are
sometimes delivery mechanisms or motivations for ransomware.

13. Which of the following is not a common facet of data privacy laws?
A. Scope limitation
B. Subject notification
C. Enhancement provision
D. Participation option
The correct answer is C. “Enhancement provision” has no meaning in this context, and it is
only a distractor.

14. Which of the following is the American law governing protection of medical-related
privacy information?
A. Sarbanes–Oxley Act (SOX)
B. Gramm–Leach–Bliley Act (GLBA)
C. Personal Information Protection and Electronic Documents Act (PIPEDA)
D. Health Insurance Portability and Accountability Act (HIPAA)
The correct answer is D. HIPAA is the Health Information Portability and Accountability Act
that governs the security of medical privacy data in the United States.

15. Which of the following is not an industry standard for data security?
A. Payment Card Industry Data Security Standard (PCI DSS)
B. Cloud Security Alliance Security Trust and Assurance Registry (CSA-STAR)
C. General Data Protection Regulation (GDPR)
D. ISO 27001
The correct answer is C. The General Data Protection Regulation (GDPR) is the EU law
governing personal data privacy; it is not an industry standard.

4 CISSP Practice Assessment 4

 Practice Assessment

16. Which of the following is a contractual industry standard?

A. Payment Card Industry Data Security Standard (PCI DSS)
B. Federal Risk and Authorization Management Program (FedRAMP)
C. HIPAA is the Health Information Portability and Accountability Act (HIPAA)
D. General Data Protection Regulation (GDPR)
The correct answer is A. The PCI DSS is a standard imposed by the credit card industry via
contract on any entity taking credit card payments. HIPAA and GDPR are laws, and
FedRAMP is a federal program for cloud services providers in the United States.

17. Which of the following enforcement mechanisms is best used for regularly occurring,
repeated common activities?
A. Service contract
B. Service-level agreement (SLA)
C. Nondisclosure agreement (NDA)
D. Background check
The correct answer is B. This is the purpose of a service-level agreement (SLA).

18. Which of the following is not included in the STRIDE threat model? Which of the following
is not included in the STRIDE threat model?
A. Repudiation
B. Denial of service (DoS)/distributed denial of service (DDoS)
C. Simulation
D. Tampering with data
The correct answer is C. Simulation is not an element of the STRIDE threat model; the S
stands for “spoofing.”

19. Which of the following is not a common audit methodology?

A. ISO certification
B. Cloud Security Alliance Security Trust and Assurance Registry (CSA-STAR) evaluation
C. Statement on Standards for Attestation Engagement Service Organization Control
(SSAE SOC) reports
D. Gramm–Leach–Bliley Act (GLBA) transactions
The correct answer is D. There is no specific audit method associated with Gramm–Leach–
Bliley Act (GLBA); all the other answers are common audit methods.

5 CISSP Practice Assessment 5

 Practice Assessment

20. Which of the following is not a common security control category?

A. Destructive
B. Preventative
C. Deterrent
D. Directive
The correct answer is A. While data destruction is an important part of the data security
lifecycle, it is not a common listing in security control categorization.

21. In security management, the need-to-know element should be provided by the

A. Operating system
B. Information owner
C. System owner
D. Data custodian
The correct answer is B. The owner is always in the best position to understand the value
of the information and, therefore, how access needs to be given based on job function and
authorized capabilities.

22. How can an asset classification program enhance access controls?

A. By satisfying the requirements of internal audit
B. By allowing the source to be modified through a rigorous process
C. By ensuring that all relevant security events are logged
D. By setting controls to protect assets
The correct answer is D. Asset classification is implemented to allow organizations to
protect assets based on their value, which is expressed through the classification level.

23. The main benefit of a data classification program is

A. To meet military and government compliance requirements
B. To allow data to receive the appropriate level of protection
C. To allow the organization to be cost-effective
D. To meet privacy requirements
The correct answer is B. The reason we classify data is to allow it to receive the
appropriate level of protection based on its value. The other answers may be reasons, but
they are all included in answer B.

6 CISSP Practice Assessment 6

 Practice Assessment

24. The network security administrator has submitted her request to implement additional
security controls to an application. Her request should be reviewed and approved by
A. The operations manager
B. The audit function
C. The owner
D. The controller
The correct answer is C. The owner is always in the best position to understand value of
the asset and is, therefore, accountable for the protection of it.

25. The role of the information custodian should not include which of the following?
A. Classification of information
B. Restoration of corrupted or lost information
C. Regular backup of information
D. Ensuring availability of information
The correct answer is A. The custodian is responsible for protecting the information while
it’s in the custodian’s possession. Classification is not done by the custodian, it is done by
the owner.

26. Privileged users should be subject to periodic recertification to maintain the level of
privileges that have been assigned. The rationale for the recertification should be based
on all of the following EXCEPT
A. The duration of time needed for access
B. Organizational politics
C. A business or operational need that requires privileged access
D. The requirements of auditors
The correct answer is B. Organizational politics should not be a factor in deciding access
controls and privileges. Owners should review on a regular basis and base the access on
need-to-know and least privilege requirements.

27. Asset classification is the accountability of the

A. Asset owner
B. Asset custodian
C. Asset steward
D. Asset processor
The correct answer is A. Key word is the word “accountability” and that always rests with
the owner of the asset.

7 CISSP Practice Assessment 7

 Practice Assessment

28. The correct amount of security is dictated by

A. More is better
B. The level of risk that exists
C. The level determined by the subjects
D. The level of value of the asset
The correct answer is D. Absolute best answer, value always drives classification, and the
level of protection is based on that classification.

29. When establishing the value of information, the least important factor is
A. Trade secrets
B. Operational impact
C. Quantity of information
D. Value to outsiders
The correct answer is C. All of the items add value except for the quantity.

30. Who normally operates technology systems?

A. Custodians
B. Owners
C. Controllers
D. IT function
The correct answer is A. The custodian is operating the technology systems on behalf of
the owner. The custodian has the responsibility to ensure that the systems have the right
level of security according to the owner’s wishes, who is accountable.

31. Which of the following is the BEST definition of a baseline?

A. Images of configurations parameter
B. Minimum levels of protection requirements
C. Step-by-step required actions
D. Specific hardware recommendations
The correct answer is B. A baseline is defined as a minimum level of something. In asset
protection, we need baselines to define the minimum levels of security according to
certain classification levels.

8 CISSP Practice Assessment 8

 Practice Assessment

32. Which of the following is the BEST method for destroying data on magnetic media without
destroying the media itself?
A. Using a commercially graded cleanser
B. Using the erase or delete function of technology systems
C. Subjecting the media to reinitialization
D. Using a overwriting utility program
The correct answer is D. Overwriting is the best method to get rid of information on media
without destroying the media itself.

33. The decision to encrypt information over a network is driven by

A. The estimated monetary value of the information
B. The classification level as determined by the owner
C. The qualitative value of the information
D. The requirements of legal commitments
The correct answer is B. Classification level always is done based on value and, therefore,
drives the protection requirements, including whether or not to encrypt.

34. What is the proper method of disposing of data on optical media?

A. Degaussing
B. Overwriting
C. Destruction
D. Purging
The correct answer is C. Overwriting and degaussing would NOT work as this is optical
media. The best method will always be destruction, as long as the destruction method is a
good one.

35. Information ethics and compliance deem that an organization has an obligation to protect
information, this accountability includes ensuring that the
A. Subject has complete control over the content
B. Information is kept current
C. Information is stored and processed securely
D. Subject controls the destruction of the information
The correct answer is C. Compliance requirements, especially related to privacy of
information, makes the organization accountable for protecting the value of personal
information.

9 CISSP Practice Assessment 9

 Practice Assessment

36. Which of the following is a key responsibility of the custodian of data?

A. Data content and backup
B. Integrity and security of the data
C. Authentication of user access
D. Classification of data elements
The correct answer is B. The data custodian is responsible for the protection of the data
while in the custodian’s possession. The custodian may be doing backups of data, but
certainly not data content. Authentication of user access and classification is what the
owner does.

37. When personal data is maintained about a natural or legal person, that person is defined
under privacy laws as a
A. Data subject
B. Data controlee
C. Data controller
D. Data processor
The correct answer is A. In privacy laws, the person that the information has been
collected and is being processed and maintained about is referred to as the “subject.”

38. Which of the following needs to be intelligible with end-to-end encryption?

A. Private key
B. Encryption algorithm
C. Time to live parameter
D. Network routing information
The correct answer is D. In end-to-end encryption, the data, or payload, is protected from
end-to-end, but the routing information needs to be readable so that devices along the
way can route properly.

39. An advantage of link encryption in a network might be

A. Encrypts all information including routing and header information
B. Protects data from start to finish through the entire network segment
C. Makes key distribution between end points easier
D. Allows more efficient transmission across networks
The correct answer is A. Link encryption encrypts all data including header, routing, and
payload but only from link to link or node to node.

10 CISSP Practice Assessment 10

 Practice Assessment

40. Which of the following is the BEST definition of data remanence?

A. The data that has been magnetically written onto the media by altering the magnetic
media sector
B. The residual physical representation of the data that has in some way been erased
C. The data that has been degaussed by using proper technology
D. The data rendered unusable through overwriting technologies
The correct answer is B. Data remanence is the data that is “remaining” on an object after
trying to securely get rid of it. Any trace remaining that could potentially be recovered is
referred to as data remanence.

41. The four types of system and system security engineering processes are:
A. Technology processes, technology management processes, enabling processes,
agreement processes
B. Technical processes, technical management processes, enabling processes,
agreement processes
C. Technical processes, technical management processes, augmentation processes,
acquisition processes
D. Technology processes, technical management processes, acquisition processes, supply
processes
The correct answer is B. Items A, C, and D each have one or more incorrect elements.
Acquisition and supply processes are specific processes that exist, but they are not types of
processes.

42. The Bell–LaPadula (BLP) security model is an example of a security model that is focused
on protecting ____________________.
A. Information deletion
B. Integrity
C. Confidentiality
D. Against improper modification
The correct answer is C. The Bell–LaPadula (BLP) security model specifically addresses
confidentiality in multilevel security (MLS) systems. It can be considered to provide some
protection from information deletion or improper modification, these protections are a
by-product of the system rules and not the primary protection type.

11 CISSP Practice Assessment 11

 Practice Assessment

43. Three types of security controls are:

A. Preventative, operating, corrective
B. Preventative, detective, technology
C. Preventative, detective, corrective
D. Policy, preventative, corrective
The correct answer is C. A, B, and D each have an incorrect element.

44. The process of customizing security controls to fit the specific security needs of a
particular system in a particular operating environment is known as:
A. Tailoring controls
B. An unauthorized activity that must be reported
C. Adequate security
D. Control tweaking
The correct answer is A. Tailoring is the process of adjusting controls for a particular use
case. It is recognized by all major control application processes.

45. Which of the following are security capabilities integrated to some extent into most major
information systems:
A. Access control
B. Memory management
C. Process isolation
D. All of the above
The correct answer is D. A, B, and C are all functions of modern operating systems that
provide some security functionality.

46. A TPM is a _________________ component known as the _________________________.

A. Software, Trusted Platform Module
B. Firmware, Technical Partition Manager
C. Hardware, Trusted Platform Module
D. Hardware, Technical Partition Manager
The correct answer is C. The TPM is a dedicated hardware module, usually a single chip.
Items B and C misuse the TPM acronym.

12 CISSP Practice Assessment 12

 Practice Assessment

47. Software as a service (SaaS) is considered to be what type of system?

A. Exclusively operated in private data centers
B. Mainframe-based
C. Cloud-based
D. Outmoded and obsolete
The correct answer is C. SaaS is a specific recognized type of cloud offering. It may be
operated in private clouds or public and on- or offsite. Functionality that superficially
appears similar may be offered on mainframe type systems, but they do not use the term
SaaS and do not provide the typical cloud attributes associated with SaaS.

48. Select the best answer: A private cloud deployment:

A. Can exist only within the direct control of the user
B. Supports a single organization
C. Is open for use by the general public
D. Is restricted to a particular community of users
The correct answer is B. A private cloud is characterized by supporting a single
organization or functional unit under a single set of rules or management. However, A is
incorrect because a private cloud may utilize offsite resources and is not restricted to
direct control of the end user.

49. Select the best system type based on the following characteristics: small form factor, low
power utilization, may interface with the physical world, pervasively deployed in
consumer products.
A. Supervisory control and data acquisition (SCADA)
B. Programmable logic controller (PLC)
C. Internet of Things (IoT)
D. Client-based
The correct answer is C. When considering all the listed characteristics, C is the only valid
option. A and B share most of the characteristics with C but are rarely deployed in
consumer products, or even as stand-alone products.

50. Select the system type most susceptible to the following vulnerabilities: loss, theft, weak
access controls, communication interception, limited function operation system.
A. Embedded
B. Control
C. Mobile
D. Server-based
The correct answer is C. Option C is the best choice. A, B, and D respectively share some
characteristics, but only C is typically exposed to loss or theft.

13 CISSP Practice Assessment 13

 Practice Assessment

51. Pick the best response. Site and facility design should include consideration for:
A. Firewall placement
B. Personnel screening
C. Security architectural models
D. Security inherited from telecommunications providers
The correct answer is B. Firewalls are logical devices and not part of site or facility design;
architectural models refer to logical architectures not buildings or facilities. While security
inherited from telecommunications providers is an overall security concern, it is not a
specific concern of site or facility design.

52. Select the best response. When designing exterior lighting, you should consider:
A. Impact on video surveillance, possible shadowed areas
B. Infrared illumination
C. Impact on cut/break sensors
D. Impact on motion sensors
The correct answer is A. Infrared illumination may be a consideration for surveillance
systems, but since it is only one element of exterior lighting that does not impact direct
human observation, answer A is the best response. Lighting does not impact cut/break
sensors. In some cases, lighting may impact some types of motion sensors. Lighting has a
direct and high impact on video surveillance and always has a risk of creating shadowed
areas where human or video surveillance is blocked.

53. Select the best answer item from the list below. Two primary types of fire suppression
systems are:
A. Water-based, Halon
B. Halon, sprinkler
C. Water-based, gas-based
D. Water-based, sprinkler
The correct answer is C. Halon and sprinklers are specific examples of gas- and water-
based systems but are not types.

54. Select the best response from the lists below. Environmental issues to consider as part of
a site or facility plan include:
A. Hurricane, tornado, flooding, mudslide
B. Insider threat, natural threat
C. Power, internet service provider (ISP)
D. Personnel screening, sprinkler placement
The correct answer is A. Item A has only environmental issues. Items B, C, and D contain
personnel or facility considerations.

14 CISSP Practice Assessment 14

 Practice Assessment

55. Encrypting a message with a private key in an asymmetric system provides?

A. Confidentiality
B. Proof of receipt
C. Proof of origin
D. Message availability
The correct answer is C, encrypting with the sender’s private key allows anyone that has
the sender’s public key to decrypt the message. But since only the sender could have
encrypted with their own private key, this process provides proof of origin, or what is
sometimes referred to as authenticity of the message.

56. One of the largest disadvantages of symmetric key cryptography is?

A. Scalability
B. Availability
C. Computing resource requirements
D. Confidentiality
The correct answer is A. Symmetric key cryptography has the great advantage of speed,
but it definitely lacks in scalability. As the number of users grow that need to communicate
securely with each other, the unique number of symmetric keys required grows
exponentially. The equation N x (N-1)/2 shows this exponential growth. For 1,000 users,
the number of unique keys required would be almost 500,000. It would be very difficult to
manage those keys securely.

57. A hybrid cryptography system uses?

A. Symmetric algorithms for key distribution
B. Asymmetric algorithms for message confidentiality
C. Symmetric algorithms for proof of origin
D. Symmetric algorithms for fast encryption
The correct answer is D. All other statements are actually wrong and opposite. Hybrid
cryptography systems use a combination of symmetric and asymmetric algorithms for
what they each are good at, symmetric for speed and bulk, and asymmetric for secure
distribution of the symmetric keys. So, to summarize, in hybrid systems, asymmetric
algorithms are used for key distribution (opposite of answer A), symmetric algorithms are
used for message confidentiality (opposite of B), asymmetric is used for proof of origin
(opposite of C), and symmetric algorithms are used for fast encryption of large messages
(correct answer D).

15 CISSP Practice Assessment 15

 Practice Assessment

58. Digital Signatures do not allow for?

A. Unauthorized modifications to a message
B. Authentication of the signatory
C. Third-party verification of a sender
D. Confidentiality of a document
The correct answer is D. Digital signatures provide integrity of the message, authenticity of
the sender, and also non-repudiation services. Confidentiality cannot be achieved through
digital signatures because a digital signature is created by encrypting the digest of a
message with the sender’s private key.

59. The process of hiding characters of plaintext with non-cipher characters is referred to as?
A. Steganography
B. Optimal Asymmetric Encryption (OAE)
C. Null cipher
D. Expansion
The correct answer is C. A null cipher is defined as hiding plaintext characters within
another message that is in plaintext and not encrypted. It is a form of steganography, but
the perfect definition is hiding characters within non-cipher characters.

60. For what application would Electronic Code Book (ECB) mode of symmetric block ciphers
be MOST desirable?
A. When multiple sub-keys are going to be used
B. When more efficient operation is a high priority
C. Where the plaintext to be encrypted is very small
D. When other block cipher modes are unavailable
The correct answer is C. ECB mode does not use an Initialization Vector (IV); therefore, it is
recommended that it is not used unless you can guarantee that what is being encrypted is
very small and there is nothing within it that repeats. ECB mode will always produce the
same ciphertext from the same plaintext when encrypted with the same key, as it does not
use an IV.

61. Hash collisions are?

A. Failures of a given cryptographic hash function to complete successfully
B. Two different input messages that result in the same message digest value
C. Repetitions within a message digest that indicate weaknesses in the hash algorithm
D. Matching message digests found during the verification of a digital signature
The correct answer is B. Hashing algorithm collisions are defined as when two different
messages produce the same message digest value. Good hashing algorithms should resist
collisions as much as possible.

16 CISSP Practice Assessment 16

 Practice Assessment

62. Where parties do not have a shared secret, and large quantities of sensitive information
must be transmitted; the most efficient means of transferring information is to use a
hybrid encryption technique. What does this mean?
A. Use of public key encryption to secure a secret key, and message encryption using
the secret key
B. Use of the recipient’s public key for encryption and decryption based on the recipient’s
private key
C. Use of software encryption assisted by a hardware encryption accelerator
D. Use of elliptic curve encryption
The correct answer is A. Hybrid cryptography means using both symmetric key
cryptography and asymmetric key cryptography for what each is good at. Symmetric is used
for fast and bulk encryption, asymmetric is used to communicate the symmetric key
required at both ends.

63. You come into work on Monday and your workstation is booting up after being turned off
over the weekend. When your system starts up, you note that you can’t access any
resources. When you look at your network configuration, you note that your workstation
has an IP address of 169.254.1.1. What is most likely the cause?
A. Your computer has a virus.
B. A Dynamic Host Configuration Protocol (DHCP) is not responding.
C. The Domain Name System (DNS) server is not responding.
D. None of the above.
The correct answer is B. If the DHCP server is unreachable, the workstation would self-
assign an IP address in range 169.254.x.x specified in the IPv4 Link-Local Addresses based
upon RFC 3927.

64. You are trying to use an external Domain Name System (DNS) server as a forward lookup
on your internal network, but you cannot get it to resolve a name to an IP address. What is
the probable cause?
A. Port 67 is being blocked outbound on your network.
B. Port 67 is being blocked inbound on your network.
C. Port 53 is being blocked inbound on your network.
D. Port 53 is being blocked outbound on your network.
The correct answer is D. DNS service operates on port 53. If an external request for DNS
service is being denied, then the port is being blocked.

17 CISSP Practice Assessment 17

 Practice Assessment

65. At what layer of the Open Systems Interconnection (OSI) model are segments
transmitted?
A. Layer 4 or Transport
B. Layer 1 or Physical
C. Layer 2 or Data-Link
D. Layer 0 or Operational
The correct answer is A. Layer 4 transmits segments across communication systems.

66. A Simple Network Management Protocol (SNMP) system is monitoring services and
systems on your network. You discover a breach in the network management system.
What might be the cause?
A. The default public community string was never changed.
B. The public community string was left unprotected.
C. The public community string was passed out to the users on your network.
D. The default private community string was never changed.
The correct answer is D. The private community string on SNMP has the capability to write
and, therefore, make changes to the network management system that could lead to a
breach.

67. What statement is true about software-defined networks (SDNs)?

A. The control plane has no network operating system support.
B. The infrastructure plane manages the forwarding of data.
C. The management plane is designed for applications.
D. All planes have the same function.
The correct answer is B. The infrastructure plane is responsible for forwarding data.

68. What is a benefit of Network Function Virtualization (NFV)?

A. Manage application pools
B. Mitigate attack vectors
C. Support transition from Capital Expenditure (CapEx) to Operational Expenditure
(OpEx)
D. Process data overflow
The correct answer is C. Network Function Virtualization (NFV) supports transition from
Capital Expenditure (CapEx) to Operational Expenditure (OpEx) but optimizing technology
to deliver services.

18 CISSP Practice Assessment 18

 Practice Assessment

69. A workstation has made a request to synchronize (SYN) with your workstation, and your
workstation responds with an acknowledgement (ACK) and a request to SYN with the
requesting workstation. The next message you receive is a request to SYN. Explain “What
could this be the beginning of”?
A. Normal three-way handshake
B. Teardrop attack
C. Smurf attack
D. SYN flood
The correct answer is D. An attacking station is sending request to SYN and attempting
to have your workstation start a series of half-open connections.

70. Company X was on alert that they could be under attack after they referred to a baseline
of activity that appeared higher than normal but without any service outage, disruption,
or manipulation of services. What dynamic analysis engine put them on alarm?
A. Protocol anomaly
B. Traffic anomaly
C. Signature matching
D. None of the above
The correct answer is B. Traffic anomaly measure against a baseline of normal traffic
and can alert the system if the normal volume of traffic flow is exceeded.

71. What Voice over Internet Protocol (VoIP) concern is tied to variation of traffic timing?
A. Jitter
B. Sequence errors
C. Traffic delay
D. Reverse traffic delay
The correct answer is A. Unlike network delay, jitter does not occur because of the packet
delay but because of a variation of packet timing.

72. Two users are making decisions on how they want to create an IPSEC connection. Their
most important concern is to ensure that when the connection is created, they are certain
that it is made between the two of them. How should the connection be created?
A. Encapsulating Security Payload (ESP)
B. Authentication Header (AH)
C. Diffie Hellman
D. Star Property
The correct answer is B. Authentication Header (AH) should be configured to prove the
identity of the sender. Digital signatures can support this requirement or an exchange
of public keys.

19 CISSP Practice Assessment 19

 Practice Assessment

73. What is the tunneling in Layer 2 Tunneling Protocol (L2TP)?

A. High level encryption
B. Encapsulation
C. Low level encryption
D. Medium level encryption
The correct answer is B. Layer 2 Tunneling Protocol (L2TP) does not have native
encryption. The tunneling is an encapsulation capability of managing other protocols. L2TP
needs IPSEC for encryption.

74. A user has need to keep their transmission contents secret from their computer to
another computer node at another location. What is the mode that should be selected
for the stations to run?
A. Symmetric
B. Transport
C. Tunnel
D. Asymmetric
The correct answer is B. They need to select transport mode as this provides end-to-end
encryption.

75. A request has been made to a web application by means of a URL and within the request it
contains “../”, what should the system do with this request?
A. Process the request
B. Wait for the next instruction
C. Reject the request
D. Embed the request into another request
The correct answer is C. An input security filter mechanism should refuse any request
containing “../” sequence, thus, blocking the attack to do an invalid path traversal.

76. Which ISO document address the 7-layer OSI model?

A. 27001
B. 27002
C. 31000
D. 7498
The correct answer is D. ISO/IEC 7498 addresses the 7-layer OSI model.

20 CISSP Practice Assessment 20

 Practice Assessment

77. A rogue wireless device has been found on a network, and the way it was discovered is
that individuals were not able to get a DHCP address. What should be done to prevent this
in the future?
A. Turn on port authentication on the host switches.
B. Create reservation on the DHCP server.
C. Set the clients to Bootstrap Protocol (BootP).
D. Expand the reservation pool on the DHCP server.
The correct answer is A. Turn on port authentication on the host switches to prevent rogue
stations from connecting without proper MAC addresses.

78. Your organization has made the decision to implement a software-defined network (SDN).
What equipment will be managed within the new environment?
A. Routers and switches
B. Switches and servers
C. Switches, servers, and routers
D. All systems in the data center
The correct answer is A. Routers and switches are the only systems defined in an SDN.

79. Your organization must still manage a Multiprotocol Label Switching (MPLS) network while
converting their internal network system to SDN. You want to have a better understanding
of your prioritized traffic flows on the MPLS to match your SDN design. What field in the
header will provide the information of a MPLS label?
A. Stack
B. TTL
C. Class of Service
D. QoS Bit
The correct answer is C. Class of Service defines the traffic prioritization.

80. Which “Generation” of cellular service is being designed to accommodate software-

defined network (SDN)?
A. 2G
B. 4G
C. 5G
D. 6G
The correct answer is C. 5G is being designed to accommodate SDN service.

21 CISSP Practice Assessment 21

 Practice Assessment

81. In which cellular service is each call encoded with a unique key?
A. Startec Service X
B. Global System for Mobiles (GSM)
C. Code Division Multiple Access (CDMA)
D. 3G
The correct answer is C. Code Division Multiple Access (CDMA) has each call encoded with
a unique key.

82. In what attack can a user on one VLAN connect to another unauthorized VLAN via
Dynamic Trunking Protocol (DTP) link?
A. Arp attack
B. MAC flood
C. 802.1Q and Inter-Switch Link Protocol (ISL) Tagging attack
D. Double-Encapsulated 802.1Q/Nested VLAN attack
The correct answer is C. 802.1Q and Inter-Switch Link Protocol (ISL) Tagging attack
is when a user on one VLAN connects to another unauthorized VLAN via DTP link.

83. Your organization maintains a wide range of intellectual property that includes digital
documents, audio files, and video content. To support requirements of access control
methodologies that can maintain what groups can access resources based upon job
descriptions, what access control tool type should be implemented?
A. Role-based access control (RBAC)
B. Mandatory access control (MAC)
C. Discretionary access control (DAC)
D. Attribute-based access control (ABAC)
The correct answer is A. Role-based access control (RBAC) defines what groups can access
a particular resource.

84. Which document specifies access control models as “formal presentations of the security
policies enforced by access control systems?”
A. NIST SP 800-53
B. NIST SP 800-192
C. NIST SP 1-2
D. ISO 27001
The correct answer is B. NIST SP 800-192 is written to address access control systems. NIST
SP 800-53 is written to address controls related to US federal systems (r4 and below).
There is no NIST SP 1-2. ISO 27001 is designed to certify an organization’s information
security management system.

22 CISSP Practice Assessment 22

 Practice Assessment

85. Which of the following could represent an identity management risk?

A. Provisioning a third-party identity as a service (IDaaS) without a proper SOC 2 report
providing an opinion of the organization’s management of the trust principles.
B. Using Kerberos as a single-sign-on solution.
C. Reviewing business policy before choosing a solution.
D. Curtailing logging into a system during non-business hours.
The correct answer is A. Choosing any provider without a proper audit of their controls
represents a risk. Answers B through D are all appropriate activities that support identity
management.

86. When the data owner manages classification of data, what control is being envisioned?
A. Authentication
B. Authorization
C. Accountability
D. Identification
The correct answer is B. Classification of data leads to defining who should have resource
access or be authorized. Authentication defines a challenge against a professed identity.
Accountability ensures that identification, authentication, and authorization are occurring
according to the specified security policy.

87. Which biometric reader has the most rapid authentication?

A. Retinal scanning
B. Iris recognition
C. Voice recognition
D. Rapid eye movement scanner
The correct answer is B. Iris scanner is the most rapid: 2 seconds. Retinal scanner is 10
seconds. Voice can be 10–14 seconds. There is currently no rapid eye movement scanner.

88. What is Open Web Application Security Project (OWASP) Top 10 number 2 threat?
A. Relational engineering
B. Injection
C. Weak authentication and session management
D. Using components with known vulnerabilities
The correct answer is C. Injection is number 1, using components with known
vulnerabilities is 9, and relational engineering is not a top 10 threat.

23 CISSP Practice Assessment 23

 Practice Assessment

89. The Digital Identity Guidelines of NIST SP 800-63-3 contain recommendations to support
A. Role-based access controls (RBACs)
B. Maintenance of a security policy
C. Maintenance of governance
D. Requirements for identity proofing and registration
The correct answer is D. Role-based access controls (RBACs), maintenance of security
policy and governance can aid developing the requirements for identity proofing and
registration but are not what NIST SP 800-63-3 is about.

90. A Credential Service Provider is responsible for

A. Teaming network interface cards for redundancy
B. In-person identity proofing
C. Retroactive account deletion
D. Proactive account deletion
The correct answer is B. Providing redundant systems is the responsibility of a processor
that manages equipment. Any account management is carried out by a custodian.

91. What are the four components of Security Assertion Markup Language (SAML)?
A. Attributes, bindings, protocols, profiles
B. Attributes, bindings, protocols, pending items
C. Attributes, bindings, protocols, pin-types
D. Attributes, bindings, profiles, people
The correct answer is A. Pending Items, pin-types, and people are not one of the four
components of SAML.

92. A claimant is asked to provide in-person proof of their identity. What minimum level of
assurance does the in-person proofing request satisfy?
A. Identity Assurance Level 1 (IAL1)
B. Identity Assurance Level 2 (IAL2)
C. Identity Assurance Level 3 (IAL3)
D. Identity Assurance Level 4 (IAL4)
The correct answer is B. IAL2 meets the request at the minimum level of assurance. IAL1
doesn’t require in-person. IAL3 requires in-person but is unnecessary controls to reach the
minimum requirement. IAL4 doesn’t exist.

24 CISSP Practice Assessment 24

 Practice Assessment

93. Federation Assurance Level (FAL) refers to the strength of an assertion in a

A. Federal institution
B. Federated environment
C. An SQL environment
D. Wireless access point
The correct answer is B. Federation Assurance Level (FAL) refers to the strength of an
assertion in a federated environment as per NIST SP 800-63-3. The institution and the
other environments are not part of FAL.

94. NIST SP 800-63-3 enrollment process allows for credential production to made in the
following forms
A. Symmetric keys
B. Public keys
C. Personal keys
D. Smart keys
The correct answer is B. Public, private keys, digital certificates, and smart cards are
allowed in the credential production. Symmetric, personal, and smart keys are not
allowed.

95. An organization has various forms of intellectual property that are labeled as confidential
trade secrets. They need to keep the trade secrets with the highest level of protection
available. The trade secrets are kept in various media types: audio, video, and digital
documents. Some of the access control methodology can be represented by traditional
groups, some of the access control methodology can be represented by specific conditions
of access like time and location, and some of the access control methodology is purely left
to individual data owners. Which access control methodology best fits the organization
need?
A. Rule-based access control (RBAC)
B. Attribute-based access control (ABAC)
C. Role-based access control (RBAC)
D. Discretionary access control (DAC)
The correct answer is B. Attribute-based access control allows for an integration of access
control methodologies that includes rule-based access control, role-based access control,
and discretionary access control.

25 CISSP Practice Assessment 25

 Practice Assessment

96. Which of the following is a part of the creation, management, and disposal of system user
accounts?
A. Identity and referral services
B. Identity and access management
C. Identity and identity destruction
D. Identity and access referral
The correct answer is B. The other terms used with Identity are not part of the creation,
management, and disposal of system user accounts.

97. NIST SP 800-145 defines three cloud service models. Which one of the three would
Identity-as-a-Service (IDaaS) be closely identified with?
A. Software as a service (SaaS)
B. Platform as a service (PaaS)
C. People as a service (PeaaS)
D. Infrastructure as a service (IaaS)
The correct answer is A. Identity as a service (IDaaS) is provided as a software service.
Platform as a service (PaaS) is provisioned for application development. Infrastructure as a
service (IaaS) is provisioned for raw storage and compute resources. People as a service
(PeaaS) doesn’t exist.

98. What activity would represent an outcome of identity and access management
accountability process?
A. Delete a user account
B. Review user ID access
C. Receiving a request to provision a new user ID
D. Calibrating a time division multiplexing chain
The correct answer is A. Reviewing user ID access is part of the accountability process and
is not an outcome. Receiving a request to provision a new user ID would happen before
the accountability process would be needed. Time division multiplexing is how a signal is
transmitted with multiple signals within.

26 CISSP Practice Assessment 26

 Practice Assessment

99. What role is authentication information based upon that is utilized during the identity
proofing process?
A. Authorized entity
B. Claimant
C. Monitor
D. Revealer
The correct answer is B. Authorized entities sponsor claimants for inclusion in the identity
proofing process. There are no such roles as monitor and revealer in the identity proofing
process.

100. A primary goal of federated identity management (FIM) is to

A. Allow ease of collusion
B. Facilitate the ease of ID creation
C. Reconcile the identity proofing process
D. Allow disparate organizations to share resources
The correct answer is D. Federated identity management (FIM) reduces the need for
creating IDs. Reconciling the identity proofing process should be an activity that is
managed through audit. FIM is not designed to ease collusion.

101. When Type I errors are equal to Type II errors on a biometric system, what state has been
reached?
A. Crossover Elusive Rate
B. Crossover Elliptic Rate
C. Crossover Error Rate
D. Crossover Erudite Rate
The correct answer is C. Crossover Error Rate is achieved when the False Acceptance Rate
is equal to the False Rejection Rate. elusive, elliptic, and erudite are unrelated to
biometrics rejection and acceptance error rates.

27 CISSP Practice Assessment 27

 Practice Assessment

102. What scenario below represents multi-factor authentication?

A. User ID and a statically assigned numeric pin
B. An iris scan and signature dynamics
C. Geo-location and a password
D. A type I and type II device
The correct answer is C. Geo-location is somewhere a person can be, and a password is
something a person knows. User ID and a statically assigned pin are both the same factor;
something a person knows. An iris scan and signature dynamics are both something a
person is.

103. Your organization has system administrators that have management control of server
systems that contain highly confidential data which is critical to business continuity. What
type of test is most appropriate to reveal your risk?
A. External
B. Internal
C. Third-party
D. None of the above
The correct answer is B. The internal test is designed to surface vulnerabilities that can
arise from the threat of internal employees. The external test is designed to expose
vulnerabilities related to external actors. The test conducted by third-party organizations
is designed to augment existing teams or provide greater assurance to customers for
security and process integrity.

104. Vulnerability scanning could be used to determine_________.

A. System portability
B. Process improvement
C. Patch levels
D. Lack of training
The only correct answer is C. Vulnerability scanning can detect patch levels, services that
shouldn’t be enabled, and improperly configured systems. None of the issues are part of a
vulnerability scan.

28 CISSP Practice Assessment 28

 Practice Assessment

105. A company is hosting a web front-end service that has users that access services from
around the world. In recent weeks, they’ve noticed a drop in the amount of “clicks” to
their website. For the users that are still accessing the website, they would like to
understand what their experiences are. What tool would you suggest they use?
A. Website monitoring
B. Near real monitoring
C. TCP monitoring
D. Real user monitoring
The correct answer is D. Real user monitoring tracks every transaction of every user, which
represents the clients’ requirements. Website monitoring uses synthetic transactions to
imitate a user. TCP monitoring measures availability of services. There is no such thing as
near real monitoring.

106. What method should be used to test the thoroughness of the logic of code?
A. Black-box
B. Red box
C. Automated testing
D. Static testing
The correct answer is D. Static testing examines the logic of the code line by line. Black-box
testing is for code that can only be executed. Automated testing is too generic to answer
the specific requirement.

107. What are proper considerations to make when selecting a testing method?
A. Attack surface and application type
B. Attack surface and program readiness
C. Attack surface and process types
D. Attack surface and relationship sets
The only correct answer is A. Different security testing methods are addressed by attack
surface when applied to different application types. Program readiness, process types, and
relationship sets are not testing method considerations.

108. Code-based testing is also known as ________

A. Black-box testing
B. Structural testing
C. Grey-box testing
D. None of the above
The correct answer is B. Structural testing is code-based testing. Black-box doesn’t allow
you to see the code. Grey-box is not transparent enough to see the code either.

29 CISSP Practice Assessment 29

 Practice Assessment

Scenario for Questions 109–111

A service desk maintains a mandatory availability window of 24 × 7 × 365. The executive
management within the organization notices that employees within the company tend to let
service desk issues develop with customer satisfaction until they are escalated up to executive
management level. Many of the issues are related to what is perceived to be the unaccepted
amount of time it takes to resolve calls and the lack of communication of call status. This puts
the organization at risk for losing clients. Executive management would like to adopt an
approach to this problem, and they come to you for assistance.

109. What would you recommend to the executive management of this company for being able
to foresee problems as they describe above?
A. Terminate employees whose names come up in the complaints
B. Rewrite the security policy and re-evaluate business mission
C. Develop key risk indicators (KRIs)
D. Develop key performance indicators (KPIs)
The correct answer is C. KRIs are designed to be predictive of risks that have not been
realized. KPIs are not forward looking but look at previous accomplishments or lack
thereof. Terminating employees or rewriting the security policy and mission don’t address
what has been requested.

110. What action should be taken to address the perceived response of the employees at the
service desk?
A. Terminate employees whose names come up in the complaints
B. Create a training program
C. Create an awareness program
D. Stop all activity and regroup.
The correct answer is C. Awareness programs are designed to address issues. Training
programs are designed for specific job skills. Stopping all activity is not reasonable given
the business requirements. Terminating employees should not be the first option.

111. What would be a way to discern if the desired change is being achieved?
A. Get on the phone with the service desk and listen in
B. Review the 360 feedback reports on the managers
C. Increase of positive comments
D. Develop and implement KPIs
The correct answer is D. KPIs can help to manage if the service desk is keeping abreast of
success factors in organizational behavior. Each of the answers in A, B, and C could be part
of the KPIs.

30 CISSP Practice Assessment 30

 Practice Assessment

112. What should be avoided in test output data?

A. Metadata
B. Simulated data
C. Sensitive data
D. None of the above
The correct answer is C. Sensitive data is the only real data that should be avoided in test
output data.

Scenario for Questions 113–116

Your company is seeking to outsource business process services to a service provider. Although
the service provider has only been in business for nine months, they have several
recommendations from industry leaders in the field. This service provider of choice has made a
competitive bid for the request for proposal that was published by your company. Your
company has a need to maintain the materials that they will process with a high degree of
confidentiality for the data, and your most critical business process data has an maximum
tolerable downtime (MTD) of three hours. Your company wants the highest proof possible that
the controls the processing company maintains are adequate to meet your company needs.

113. Which audit should be done to address the concern about the length of time the service
provider has been in business?
A. SOC 2
B. SOC 1
C. SOC 3
D. None of the above
The correct answer is B. SOC 1 reviews financial controls of an organization. SOC 2 and 3
address technical controls; 2 detailed and 3 executive summaries.

114. What audit should be done to provide assurance about the availability and confidentiality
of the service provider?
A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4
The only correct answer is B. SOC 2 is an audit to address technical controls. SOC 3 is a
summary of technical control audits. SOC 1 reviews financial controls of an organization.
SOC 4 doesn’t exist.

31 CISSP Practice Assessment 31

 Practice Assessment

115. What type of audit should be done on the service provider?

A. Type I
B. Type II
C. Type III
D. Type IV
The correct answer is B. Type II audit provides proof of effectiveness of controls for either
a SOC 1 or 2. Type I audits only supplying proof of the design.

116. Which trust services principles are most appropriate for the auditor to focus on?
A. Confidentiality and availability
B. Processing integrity and privacy
C. Privacy and confidentiality
D. Security and processing integrity
The correct answer is A. The client has a need to meet a short maximum tolerable
downtime (MTD) and confidentiality.

117. List examples of security awareness sources for an awareness program.

A. Job skills development
B. Posters with reminders to change password
C. Procedures to test a system
D. Accreditation of a tested system
The correct answer is B. Posters about security can be used to create awareness. Job skills
development is training.

118. What control is specified in ISO 27002 concerning test data?

A. Test should not be done in production environments
B. Test data are always a clear path to test schemes
C. Test data are necessary in DevOps
D. Test data should avoid containing personally identifiable information (PII)
The correct answer is D. Control 14.3.1 specifies that use of PII, or that which is
confidential, should be avoided.

32 CISSP Practice Assessment 32

 Practice Assessment

119. Third-party assessments are ________

A. Too costly
B. Slow and ineffective
C. Driven by some regulations
D. Always necessary.
The correct answer is C. Some regulations demand that third-party assessments are done.
The effectiveness, costliness, or necessity are all subjective.

120. What is the primary purpose of a negative test?

A. To verify the operating power of a system
B. To ensure graceful handling of unexpected input
C. Reconcile the identity proofing process
D. Allow disparate organizations to share resources
The correct answer is B. A negative test ensures that your application can gracefully handle
invalid input or unexpected user behavior The other answers have nothing to do with a
negative test.

121. Interface testing can be used to __________

A. Check and verify if all the interactions between the application and a server are
executed properly
B. Check the connections between fail-safe and fail-secure
C. Run test in a loop till errors are made evident.
D. none of the above
The correct answer is A. Interface testing can be used to check and verify if all the
interactions between the application and a server are executed properly.

122. Once code inspection is complete, what kind of software testing occurs?
A. User acceptance testing
B. Business case testing
C. Unit level testing
D. Test sophistication
The correct answer is C. Once the prerequisite tasks (e.g., code inspection) have been
successfully completed, software testing begins. It starts with unit level testing. User
acceptance testing happens after the testing. B, and D do not exist.

33 CISSP Practice Assessment 33

 Practice Assessment

123. Which of the following terms is most associated with the concept of need-to-know?
A. Static testing
B. Social engineering
C. Compartmentalization
D. Nondisclosure agreements
The correct answer is C. The principle of need-to-know limits dissemination of sensitive
information outside of personnel assigned to a given project/office, even if other
personnel have the same clearance level.

124. Which of the following is not true about privileged accounts?

A. Privileged account holders should be subject to more extensive background checks
than regular account holders.
B. They should be temporary.
C. They should be subject to more extensive auditing.
D. They should be granted only for remote access.
The correct answer is D. If anything, remote access should eliminate eligibility for
privileged accounts.

125. Which of the following is not a benefit the organization realized from job rotation?
A. Improved employee morale
B. Reduction in single points of failure in staffing
C. Elimination of the possibility of social engineering
D. Aids in detecting internal threats
The correct answer is C. Job rotation has no bearing on the organization’s susceptibility to
social engineering.

126. In which phase of the information lifecycle is data moved from the production
environment into long-term storage?
A. Create
B. Share
C. Store
D. Archive
The correct answer is D. This is the definition of archiving.

34 CISSP Practice Assessment 34

 Practice Assessment

127. What is usually the enforcement mechanism of a service-level agreement (SLA)?

A. Incarceration
B. Regulatory capture
C. Early withdrawal
D. Financial penalties
The correct answer is D. SLAs are typically enforced by ascribing financial penalties to
specific conditions (or, more likely, for failing to meet those conditions).

128. Which of the following is not typically reflected in the asset inventory?
A. The asset owner
B. The asset size
C. The asset location
D. The asset value
The correct answer is B. Size is not a trait typically included in the asset inventory.

129. All of the following departments typically will be represented on the Change Management
Board (CMB) except:
A. Sales/marketing
B. Accounting/finance
C. Security office
D. The user community
The correct answer is A. The Sales/Marketing office is not involved in the baseline/revision
of the environment.

130. What should always be included in the patch process?

A. The option to roll back to the last known good system state
B. Contacting the patch issuer to seek clarification
C. Instant and immediate application of patches to all affected systems
D. Regulator notification
The correct answer is A. Because a patch might cause unpredicted issues, the organization
should always have the capability to revert to the previous system state after a patch has
been applied.

35 CISSP Practice Assessment 35

 Practice Assessment

131. Patches should be tested ________.

A. daily
B. in a test bed that mimics the production environment
C. only on external, off-premise systems
D. in the jurisdiction in which they were issued
The correct answer is B. Patches should be tested at a remove from the production
environment.

132. Which of the following is a preventative measure to counter the possibility of lost/stolen
media?
A. Digital watermarking
B. Proper and thorough labeling
C. Online tracking mechanisms
D. Secure disposal
The correct answer is D. All of the answers listed are methods for protecting media (and
the data residing on media), but only secure disposal is a preventative method.

133. Which of the following is not an acceptable, suggested practice in dealing with third-party
security vendors?
A. The use of nondisclosure agreements
B. Regulator participation
C. The use of service-level agreements (SLAs)
D. Insurance/bonding
The correct answer is B. Regulators are not always involved in all industries; when they
are, they may lend approval or guidance, but they do not usually participate in
relationships between organizations and third-party security vendors.

134. One of the best benefits of anti-malware systems is _________.

A. evidence of due diligence
B. prevent social engineering attacks
C. no financial cost
D. no impact on productivity
The correct answer is A. An organization with anti-malware systems in place is providing a
reasonable, expected security measure. All the other answers are not benefits of
deploying anti-malware systems.

36 CISSP Practice Assessment 36

 Practice Assessment

135. Which of the following entities/activities is not usually involved in incident detection?
A. Log analysis
B. Firewalls
C. Users
D. Human resource (HR)
The correct answer is D. The HR department does not typically lend any utility to the
practice of detecting incidents.

136. Which of the following is not one of the main variables affecting how an organization
initially addresses an incident?
A. Time
B. Risk
C. Impact
D. Location
The correct answer is D. Location is not one of the initial main variables an organization
takes into account when addressing incidents; the other three answers are. Location may
be a factor in addressing root cause, after incident response is underway.

137. All incident management actions should be __________.

A. instantaneous
B. expensive
C. contracted
D. documented
The correct answer is D. Documentation serves to provide evidence after the response
is complete, aids in addressing root causes, and helps improve the response process.

138. Who should decide how an incident would be addressed?

A. Security officer
B. Law enforcement
C. Senior management
D. Regulators
The correct answer is C. Senior management is in the best position to weigh the costs and
benefits of different courses of response action.

37 CISSP Practice Assessment 37

 Practice Assessment

139. Which kind of investigation should be performed if the organization does not want to
involve law enforcement, external parties, or a court action?
A. Civil
B. Criminal
C. Regulatory
D. Administrative
The correct answer is D. Administrative investigation is best for all matters the
organization wants to handle internally.

140. Which of the following is used to ensure evidence collected is evidence presented to
a court?
A. Nondisclosure agreement
B. Job rotation
C. Chain of custody
D. Forensic analysis
The correct answer is C. This is the purpose of the chain of custody.

141. Which of the following is not a trait expected of evidence presented to a court?
A. Irrefutable
B. Admissible
C. Comprehensive
D. Objective
The correct answer is A. In an adversarial court system, all evidence is refutable.

142. Which of the following is not a typical location for placement of an intrusion detection
system/intrusion prevention system (IDS/IPS)?
A. Network perimeter
B. Fire suppression monitoring systems
C. Individual hosts
D. Network devices
The correct answer is B. IDS/IPS serve no purpose in fire suppression.

38 CISSP Practice Assessment 38

 Practice Assessment

143. How should buffer overflow vulnerabilities be addressed?

A. By using blacklists that contain all characters that can be potentially harmful
B. By installing patches to fix buffer overflow vulnerabilities
C. By using the latest programming development methodologies that resist well-known
vulnerabilities
D. By using strongly typed programming languages, implementing bounds and input
checking controls, and using safe functions
The correct answer is D. Buffer overflows can occur in applications programmed in
languages that not strongly typed and that allow direct memory access. This can be
exploited by the attacker to inject malicious code into the buffer of the function, possibly
causing the application to execute code in elevated privileges. Proper bounds checking and
choosing safe functions remain the accepted ways of addressing buffer overflow
conditions.

144. How is an interpreted language application different from a compiled language

application?
A. Interpreted languages do not require the entire source code to be compiled to
machine code before the application can run.
B. Interpreted applications are limited to specific platform; compiled applications can run
on any platform.
C. Compiled applications are limited to a specific platform; interpreted applications can
run on any platform.
D. Interpreted applications execute faster than compiled applications.
The correct answer is A. An application written using a compiled language requires the
entire source code to be compiled into machine language (executable) before the
application can run on any system, while applications written in an interpreted language
have their source code “translated” line by line into machine language by the interpreter,
on the fly.

39 CISSP Practice Assessment 39

 Practice Assessment

145. Why is it important to build security into the application as opposed to adding it later?
A. It is not, both approaches are equally appropriate.
B. It conforms to the concept of “security by obscurity,” which provides adequate
security by hiding it within the application itself.
C. Building security into the application provides more layers of security and can be
harder to circumvent.
D. Building security into the application can reduce development time, allowing the
application to be released to production sooner.
The correct answer is C. All other statements are actually wrong and opposite. Designing
and building security into the application in the first place is always the most efficient and
cost-effective way of doing it, and therefore, should always be mandated.

146. What is a common issue to consider regarding the cryptographic protection of data in
applications?
A. Using cryptography also requires the careful and appropriate key management,
including key creation, key storage, and key handling.
B. Cryptography requires the proper licensing for the algorithms used.
C. Using cryptography for data protection requires potentially expensive hardware
security modules (HSM) to store the keys securely.
D. Smart cards are required to store encryption keys securely.
The correct answer is A. Key management is the most important aspect of using
cryptography solutions.

147. What are the reasons that testing applications with live data or testing in a production
environment is not advocated?
A. If the application processes confidential or sensitive data, the testing process may
result in need-to-know or privacy violations.
B. The testing process might not provide realistic results because the live data cannot be
sanitized.
C. Based on the concept of need-to-know, the developers are not authorized to view live
data.
D. Testing with live data violates privacy regulation compliance.
The correct answer: A, allowing developers to be exposed to confidential and sensitive
data which may violate privacy requirements would be a violation of need-to-know and
compliance requirements.

40 CISSP Practice Assessment 40

 Practice Assessment

148. What is the purpose of the Capability Maturity Model Integration for Development
(CMMI-DEV)?
A. CMMI-DEV measures the maturity and capability levels of the organization’s
development processes.
B. CMMI-DEV measures the maturity and capability levels of system integration in the
organization.
C. CMMI-DEV help organizations improve their development and maintenance
processes for both products and services.
D. CMMI-DEV is a process improvement maturity model for the development of products
and services.
The correct answer is C. This is the actual definition by the Software Engineering Institute
(SEI) describing the purpose of CMMI-DEV.

149. What is the PRIMARY security issue with application backdoors?

A. They are a form of malicious software that can allow an attacker to gain unauthorized
access to the application.
B. Backdoors are implanted in code by malicious developers to allow them to circumvent
the application’s access controls.
C. Backdoors are legitimate development tools that should be removed from the
application before release to production to avoid their abuse by unauthorized users
or attackers.
D. Backdoors can lead to denial of service (DoS) conditions if an attacker performs an
attack against the backdoor vulnerability.
The correct answer is C. Backdoors are legitimate tools that are used to allow the
developer to access certain application components directly, thus saving time and effort in
the development process and testing. Backdoors should be removed before the
applications are released into production.

150. The primary key is used to uniquely identify records in a database. By adding additional
variables to the primary key, two items with the same identifier can be differentiated. This
is often used to prevent inference attacks. Which of the following is best described by this
scenario?
A. Polymorphism
B. Polyalphabetic
C. Polyvariabolic
D. Polyinstantiation
The correct answer is D. Polyinstantiation helps prevent inference attacks by only allowing
a user to see a version of information suitable for their clearance level. Only high-level
users would be able to see the entire detailed information, and only low-level users would
be restricted to possibly seeing an incomplete or even erroneous level of information.

41 CISSP Practice Assessment 41

 Practice Assessment

151. A database that uses pre-defined groupings of data that can only be accessed based upon
a user’s authorization level uses which of the following access control models or concepts?
A. Role-based access control (RBAC)
B. Database view control
C. Mandatory access control (MAC)
D. Nondiscretionary access control (NDAC)
The correct answer is B. The database management system (DBMS) would return a view,
or logical subset, of the data in the database depending on the view specified by the
calling application. When the application is written, the application would have a “bind” to
the appropriate view.

152. Which of the following database attacks describes an attack where the perpetrator uses
information gained through authorized activity to reach conclusions relating to
unauthorized data?
A. Unauthorized access attack
B. Bypass attack
C. Structured Query Language (SQL) attack
D. Inference attack
The correct answer is D. An inference attack occurs when a user is able to infer, or deduce,
information that is of a higher sensitivity level by accessing data they were allowed to see
at a lower level of access.

153. One of the most significant differences between the software development lifecycle
(SDLC) and the system lifecycle (SLC) is that the SDLC does not include which of the
following phases?
A. Post-development operation and maintenance
B. Startup/requirements
C. Development/construction
D. Operational testing
The correct answer is A. The SDLC commonly ends at the time of system implementation.
The SLC continues through to the decommissioning or start of a new SDLC.

42 CISSP Practice Assessment 42

 Practice Assessment

154. How can polyinstantiation be used to protect a sensitive database?

A. It confirms that all sensitive data within the system conforms to integrity checking.
B. It prevents low-level users from inferring the existence of higher level data.
C. It ensures that all security mechanisms within the database management system are
working together to enforce the security policy.
D. It ensures that two processes trying to access the same element will randomize the
access to ensure integrity.
The correct answer is B. Polyinstantiation is defined as allowing different versions of
similar information to exist at different classification levels for the purpose of preventing
inference possibilities, thus, preventing low-level users from inferring more sensitive
information.

155. Why does compiled code pose more of a security risk than interpreted code?
A. Because compilers are not as trusted as interpreters
B. Because malicious code embedded into compiled code is hard to detect
C. Because browsers can execute interpreted code as part of their functionality
D. Because most web applications cannot process compiled code using legacy
programming languages
The correct answer is B. Compiled code has already been translated into machine language
and, therefore, it becomes very difficult to find and address malicious code. In interpreted
applications, the source code is visible; therefore, it may provide easier ways to detect
malicious code.

156. Which framework allows organizations to evaluate their software process based on quality
of its associated development and maintenance process using a 5-level scale?
A. The IDEAL model
B. The Total Quality Model (TQM)
C. The Software Capability Maturity Model (SW-CMM)
D. The Agile model
The correct answer is C. The SW-CMM model for software describes the principles
underlying software maturity and is intended to allow organizations to improve the
maturity of their software processes from chaotic to structured, mature, and disciplined.

43 CISSP Practice Assessment 43

 Practice Assessment

157. The security of an application is most effective and economical in which of the following?
A. The application is optimized prior to adding security.
B. The system is purchased from an official certified vendor.
C. The system is customized to meet the specific security threats known.
D. The application is designed originally to provide the necessary security based on
requirements.
The correct answer is D. Security needs to be designed in at the start based on
requirements.

158. Building security into the application begins at

A. The development phase
B. The project initiation phase
C. The management buy-in phase
D. The functional design phase
The correct answer is B. Security needs to start becoming involved at the project initiation
phase. The management buy-in phase is not when discussions regarding security would
take place. Understanding the requirements related to compliance, goals and objectives,
and privacy would need to start at the project initiation phase.

159. Which of the following is MOST likely to cause long-term damage?

A. Black box, white hat tester
B. Black box, black hat tester
C. White box, white hat tester
D. White box, black hat tester
The correct answer is D. Because the black hat tester is malicious, and in white box testing,
the attacker knows the internal structure, design, and implementation of the application,
in other words understands the entire system, this can be very dangerous if the intent is
malicious. White box testing is where the attacker can “clearly” see inside, including all
parameters and internal structure.

160. Why is inference from a database an important security problem to address?

A. Statistics may be deduced from having access to records.
B. Granular access rules may be difficult to implement in database environments.
C. Private information may be deduced from aggregate data.
D. Multiple database queries using analysis tools cannot be prevented.
The correct answer is C. The definition of inference is exactly what answer C addresses.
Inference is the ability to deduce more sensitive information than you should have.

44 CISSP Practice Assessment 44

 Practice Assessment

161. What is the name of a malicious program that has the ability to infect both program files
and boot sectors?
A. Multipartite
B. Polymorphic
C. Stealth
D. Companion
The correct answer is A. A multipartite virus is a malicious program that can infect in more
than one place at the same time.

162. Which of the following best characterizes a buffer overflow attack?

A. Multiple processes use the same buffer.
B. Data stored in a buffer is corrupted by the malicious program.
C. A program fails to check the buffer size limits properly.
D. A program is maliciously forced to create multiple buffers.
The correct answer is C. A buffer overflow attack is allowed to happen by the lack of
capabilities in the program to enforce buffer size limits, thereby possibly allowing the
attacker to either conduct a denial of service (DoS) attack or elevating privilege levels.

45 CISSP Practice Assessment 45