View CISSP Exam Questions

Q: 1

DRAG DROP Match the name of access control model with its associated restriction. Drag each access control model to its appropriate restriction access on the right. ISC2 CISSP Exam Questions question

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Mandatory Access Control
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule based access control

Discussion

Ajay G. Jan 31, 2026 4:32 am

Mandatory Access Control → End user cannot set controls, Discretionary Access Control → Subject has total control over objects, Role Based Access Control → Duties based on job function, Rule-based access control → Roles by custodian. That's how I've seen it lined up in most CISSP guides, fits what they're asking. Open to debate if anyone reads it differently.

Luna T. Feb 1, 2026 7:19 am

I don’t think RBAC is total control, that’s DAC. Trap here is mixing up role and rule-based since the names are close. Should be: MAC → End user cannot set controls, DAC → Subject has total control, RBAC → Duties/jobs, Rule-based → Roles by custodian.

Priya E. Feb 3, 2026 2:21 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control over objects, RBAC → Duties based on job function, Rule-based → Roles by custodian. Pretty sure this matches textbook definitions, at least that's what most practice tests show. Correct me if I'm missing something.

Hannah P. Feb 3, 2026 12:30 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control, RBAC → Duties by job function, Rule-based → Roles by custodian. Nice clear mapping on this one.

Ivy Feb 1, 2026 12:33 pm

Mandatory Access Control → End user cannot set controls, Discretionary Access Control → Subject has total control over objects, Role Based Access Control → Dynamically assigns permissions based on job function, Rule based access control → Dynamically assigns roles by custodian criteria. I've seen similar wording in CISSP practice, and there's a trap with swapping RBAC and Rule-based-easy to mix up. Pretty sure this mapping is correct but open to discussion if someone spots a nuance.

AmeliaD Jan 29, 2026 11:20 pm

Totally agree with MAC to end user cannot set controls, DAC is subject has total control, RBAC ties permissions to job functions, and Rule-based is roles via custodian criteria. That's how most CISSP sources show it. Pretty confident but always open to another take if anyone sees it different.

Leo Feb 8, 2026 10:16 pm

I see the confusion, but pretty sure it's MAC for end user can't set controls, DAC for subject has total control over objects, RBAC for job function duties, Rule-based for roles by custodian criteria. That's how official CISSP guides usually match them up. Correct me if you see it differently!

SkepticalLead8899 Feb 2, 2026 5:07 pm

Mandatory Access Control → End user cannot set controls, Discretionary Access Control → Subject has total control over objects, RBAC → Dynamically assigns permissions to duties by job function, Rule-based → Dynamically assigns roles to subjects via criteria by custodian. That's the match most CISSP material uses. Pretty sure this is right but let me know if you spot a catch.

Chloe N. Feb 9, 2026 1:18 am

Had something like this in a mock, in a practice set: MAC to end user can't set controls, DAC to subject total control, RBAC to permissions by job function, Rule-based to roles by custodian criteria. Pretty standard CISSP mapping.

MiaD Feb 2, 2026 3:40 pm

So the mapping should be: Mandatory Access Control → End user cannot set controls, DAC → Subject has total control, RBAC → Duties/job function, Rule-based → Roles by custodian. There's a catch though-sometimes rule-based gets confused with RBAC if you miss how the criteria are set. Double-checked exam reports on this.

Be respectful. No spam.

Correct Answer:

Restrictions End user cannot set controls: A. Mandatory Access Control Subject has total control over objects: B. Discretionary Access Control (DAC) Dynamically assigns permissions to particular duties based on job function: C. Role Based Access Control (RBAC) Dynamically assigns roles to subjects based on criteria assigned by a custodian: D. Rule based access control

Explanation

The matching aligns each access control model with its defining characteristic.

Mandatory Access Control (MAC) is a centralized model where a system authority enforces access based on security labels (e.g., clearances and classifications). The owners or end users of objects do not have the authority to change these access rules.
Discretionary Access Control (DAC) is a decentralized model where the owner (a subject) of a resource (an object) has the discretion to grant or deny access to other subjects. This gives the subject total control over the objects they own.
Role Based Access Control (RBAC) simplifies administration by assigning permissions to roles that correspond to job functions. Users are then assigned to these roles, inheriting the associated permissions necessary for their duties.
Rule-based access control uses a set of configurable rules or criteria to make access decisions. The specific scenario described—dynamically assigning roles based on criteria—is a form of rule-based logic applied to an RBAC framework, often seen in modern identity management systems.

References

National Institute of Standards and Technology (NIST). (2017). NIST Special Publication 800-192: Verification and Test Methods for Access Control Policies/Models. Section 2.1, "Access Control Policies/Models Definitions". This document defines MAC as non-discretionary and DAC as allowing owners to specify access. DOI: https://doi.org/10.6028/NIST.SP.800-192

National Institute of Standards and Technology (NIST). (n.d.). Glossary: Role-Based Access Control. Computer Security Resource Center. Retrieved from https://csrc.nist.gov/glossary/term/role_based_access_control. This source defines RBAC as being "based on user roles...Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization."

Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. Chapter 4, "Access Control". This textbook provides foundational academic descriptions, explaining that with DAC, "an entity may be granted access rights that enable the entity, by its own volition, to enable another entity to access some resource" (p. 116), whereas with MAC, controls are "not subject to the object owner's discretion" (p. 120).

Hu, V. C., Ferraiolo, D., Kuhn, R., Friedman, A. R., Lang, A. J., et al. (2013). Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800-162. Section 2.3.4 discusses how ABAC (a form of rule-based control) can be used to implement dynamic role assignment, stating, "In some cases the subject's assigned role...may be determined dynamically from subject attributes." This directly supports the match for rule-based access control. DOI: https://doi.org/10.6028/NIST.SP.800-162

Q: 2

Which of the following value comparisons MOST accurately reflects the agile development approach?

Options

Discussion

MayaE Jan 26, 2026 6:53 pm

D fits best here. Agile is about delivering working software and not getting bogged down in heavy documentation. The other options flip the agile values, so pretty sure D is correct but open to other thoughts if I missed something.

HelpfulSec3289 Feb 12, 2026 3:14 am

C/D? Both get picked sometimes but I'm saying D. That's the straight-up Agile Manifesto wording.

AveryI Feb 4, 2026 11:39 am

D
Agile puts working software above comprehensive docs, per the Agile Manifesto. The other options flip agile values around, which isn't accurate. Pretty sure it's D, but open to other takes.

NehaK Feb 13, 2026 11:56 pm

C , since planning is huge in dev projects. I know Agile values adaptability, but following a plan seems more accurate if you consider how teams actually try to structure sprints. D feels a bit too obvious a trap here. Could be wrong though.

Taylor Jan 29, 2026 12:55 pm

D , that's the closest match to Agile's actual values.

CalmTester4695 Jan 31, 2026 9:53 am

D imo, that's straight from the Agile Manifesto-working software prioritized over docs every time.

Ivy C. Jan 30, 2026 10:59 pm

I don't think it's D, since Agile is more about collaboration and flexibility. B looks tempting because contract negotiation sometimes gets highlighted as important in large orgs, so I'd say B for this one. Trap option with D if you aren't careful.

Aaron Feb 1, 2026 3:40 pm

Maybe D here, since the others are all giving the wrong priority (that's a common trap for Agile values questions). If it's about what Agile really emphasizes, working software wins over docs but not 100 percent sure.

Riley Q. Feb 10, 2026 8:21 am

B . Contract negotiation over customer collaboration makes sense to me since you want the agreement sorted out early for less risk, especially in bigger projects. Agile talks a lot about collaboration, but sometimes contracts are the real foundation. Not 100% if this is what they’re after but that’s my take.

Sanjay J. Feb 5, 2026 10:50 am

Don’t think it’s D here, since Agile actually values documentation less than working software. For this, maybe A is closer but I could be off-tricky question the way they inverted the values.

Be respectful. No spam.

Q: 3

A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?

Options

Discussion

Casey Feb 8, 2026 5:24 pm

A. saw a similar question in a practice set and deployment is all about getting those tools in place.

Jason C. Feb 1, 2026 8:02 am

A (not D), . Deployment is mostly about getting the right tools in place, training usually happens after. D can be a trap if you mix up rollout steps, at least in CISSP context.

MorganJ Feb 2, 2026 9:03 pm

Seriously wish ISC2 would make these deployment phase definitions less fuzzy. A

Liam Feb 14, 2026 7:07 am

Ugh, ISC2 always overcomplicates with their phases. A

Ishaan H. Jan 27, 2026 8:00 pm

A is the best fit for what deployment means in CISSP context, since it’s about getting the actual tools and systems in place. Training stakeholders (D) usually comes later once the supporting tech is running. Pretty sure about this one, but let me know if you see it differently.

PreciseAuditor4426 Feb 9, 2026 1:49 am

ISC2 loves making deployment phase stuff confusing, but A imo.

Piya G. Feb 5, 2026 6:12 am

A , deployment phase is all about selecting and buying the right tools, not training folks.

Sean I. Feb 4, 2026 4:47 pm

A or D? Not totally sure since training can overlap with rollout, but pretty sure A matches typical deployment steps.

Robin Feb 7, 2026 3:54 pm

Deployment phase is about putting tools into production, so A. Budgeting and training come before or after, not during deployment.

AdamL Jan 26, 2026 2:19 am

B for me. Had something like this in a mock and it focused on budgeting during deployment. Pretty sure that financial planning happens here too, not just tech setup.

Be respectful. No spam.

Correct Answer:

Explanation

The deployment phase of establishing a vulnerability management program focuses on implementing the designed program and making it operational. A fundamental task in this phase is to select, procure, and configure the necessary supporting technologies, such as vulnerability scanners, patch management systems, and ticketing systems. These tools form the technical foundation of the program, and their deployment is a prerequisite for subsequent operational activities like scanning, analysis, and remediation.

References

1. Carnegie Mellon University

Software Engineering Institute (CMU/SEI). In the technical note "A Framework for a Vulnerability Management Program

" the authors state

"The selection of tools is a critical step in the implementation of a vulnerability management program." The deployment phase is synonymous with the implementation phase

where the planned program is put into action.

Source: Alberts

& Dorofee

A. (2005). A Framework for a Vulnerability Management Program (CMU/SEI-2005-TN-028). Carnegie Mellon University. (See Section 3.3

"Tool Selection").

2. NIST Special Publication 800-100

"Information Security Handbook: A Guide for Managers." This guide outlines the information security program life cycle

which includes initiation

development/acquisition

implementation

operation/maintenance

and disposal. The selection and procurement of technologies fall squarely within the "development/acquisition" phase

which directly precedes the "implementation" (or deployment) phase. In the context of establishing a new program

these are often grouped as deployment activities.

Source: NIST SP 800-100

Chapter 3

"Information Security Program Management

" Section 3.3

"Information Security Program Life Cycle."

3. University of California

Berkeley

Information Security Office. Courseware and guidance on establishing security programs consistently place budgeting and charter development in the initial "Strategy & Plan" phase

while tool acquisition and implementation occur in the "Build/Deploy" phase. Measuring metrics occurs in the final "Measure & Improve" phase.

Source: UC Berkeley Security

"Vulnerability Management Program

" Program Development Lifecycle documentation. (Illustrates the standard phased approach to program creation).

Q: 4

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

Options

Discussion

Arjun Feb 8, 2026 11:14 pm

D. Security requirements have to be set right after business analysis and data categorization, not later in SDLC. If you wait until after vulnerability analysis or design phases, it's too late to integrate them fully.

MethodicalNeteng4453 Feb 12, 2026 9:20 pm

Its D, not B. Vulnerability analysis comes after, trap for people mixing up SDLC order.

Aaron Jan 25, 2026 5:54 am

No way it's B, D is right. Security functional requirements come after business analysis and data categorization, not after vulnerability analysis.

MiaF Feb 11, 2026 5:42 pm

I don’t see how B fits since vulnerability analysis happens after requirements are set, not before. Security functional requirements need both the business analysis and knowing your data’s sensitivity, so D is the right sequence. Could be a tricky one if you miss that order.

Sara Q. Feb 5, 2026 6:53 pm

Option B. Requirements usually get clearer after vulnerability checks but before detailed design.

MayaY Feb 3, 2026 8:00 pm

Yeah, D makes the most sense. Security functional requirements have to be based on both business needs and the data's importance, so you need that info first. Pretty sure that's what CISSP wants here.

FocusedEngineer7292 Feb 13, 2026 3:07 am

B tbh, had something like this in a mock and picked B because vulnerability analysis feels like a logical spot for security requirements. Not fully sure though.

Grace Feb 6, 2026 3:50 pm

Its D

Chloe U. Jan 25, 2026 8:55 am

Totally agree, D is right. Security requirements go in after the functional analysis plus data categorization.

Be respectful. No spam.

Correct Answer:

Explanation

Software security functional requirements must be defined early in the Software Development Life Cycle (SDLC) to ensure security is built-in, not bolted on. This process logically follows the initial analysis of the system's purpose and the data it will handle. First, the business functional analysis determines what the system needs to do. Second, data security categorization (e.g., per FIPS 199) assesses the sensitivity of the information being processed. Only after understanding both the system's function and the data's value can appropriate and specific security requirements (e.g., access controls, encryption levels) be defined. This "shift left" approach is fundamental to secure systems engineering.

References

1. NIST Special Publication 800-64 Revision 2

Security Considerations in the System Development Life Cycle.

Section 2.1

Initiation Phase: This section states

"During the Initiation Phase

the need for a system is expressed and the purpose of the system is documented... Security requirements should be identified and discussed at this early stage." It explicitly links the initial business need and the security categorization (based on FIPS 199) as precursors to defining these requirements.

2. NIST Special Publication 800-160 Volume 1

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

Section 2.3.2

Stakeholder Needs and Requirements Definition Process: This section describes the process to "define the stakeholder requirements for a system." It emphasizes that this occurs at the beginning of the life cycle to capture all needs

including security

which are derived from the business or mission objectives and the required level of protection for assets.

3. Federal Information Processing Standards Publication (FIPS) 199

Standards for Security Categorization of Federal Information and Information Systems.

Section 3

Categorizing Information and Information Systems: This standard establishes the importance of categorizing information based on confidentiality

integrity

and availability impacts. This categorization is a foundational step in the risk management process and directly informs the selection of security controls and requirements early in the SDLC.

Q: 5

What does the result of Cost-Benefit Analysis (C8A) on new security initiatives provide?

Options

Discussion

Noah Feb 2, 2026 9:28 am

Its A. D trips people up but CBA's output is just quantifiable justification, not the formal acceptance step.

Arjun X. Feb 11, 2026 5:54 pm

A , similar question was on my last practice set and it was always about quantifiable justification.

Anita Jan 26, 2026 1:02 pm

A makes the most sense here. Cost-Benefit Analysis is all about showing management a clear, financial reason to approve (or reject) a security investment-so it's the quantifiable justification they're after. Risk evaluation (C) is part of doing the CBA but not what gets delivered at the end. Pretty sure A is right, but open to other views if I'm missing something.

Ajay G. Feb 10, 2026 2:10 pm

Pretty sure A, that's what the official study guide and main exam practice sources say too.

Neha I. Jan 25, 2026 6:58 am

I get why folks are thinking C here. Risk evaluation is definitely part of the process, since you have to know your risks before doing a CBA. So I'd pick C too, since the analysis ends up tying security investments back to risk levels. Might be missing the focus on justifying with numbers though. Anyone got a different take?

MethodicalMentor4646 Jan 31, 2026 3:40 am

C tbh, saw similar wording on a practice exam and risk evaluation was the expected output.

Nathan U. Feb 12, 2026 3:26 pm

Probably A, since cost-benefit analysis is all about making the case in numbers for why a security investment makes sense. It’s less about risk evaluation itself and more about giving management something quantifiable to decide on. Makes sense? Open to other views.

TaylorR Jan 27, 2026 3:38 pm

I think it's C. A risk evaluation is usually part of the analysis for new security options.

Be respectful. No spam.

Correct Answer:

Explanation

A Cost-Benefit Analysis (CBA) is a fundamental financial process used in risk management to evaluate the viability of a security initiative. It directly compares the monetary cost of implementing and maintaining a control against its projected financial benefit. This benefit is typically measured as the reduction in risk, often quantified by the decrease in the Annualized Loss Expectancy (ALE). The final output of a CBA is a data-driven, financial argument (e.g., Return on Security Investment - ROSI) that provides a quantifiable justification for management to decide whether to approve the expenditure. It translates a technical security requirement into a business-centric financial decision.

References

1. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30

Revision 1).

Section 3.3.3

Analysis of Alternatives: This section describes the process of evaluating different courses of action for risk response. It states that organizations should "evaluate the relative advantages and disadvantages (e.g.

effectiveness

feasibility

cost-benefit) of the alternative courses of action." This highlights that the CBA is the tool for providing a justifiable comparison.

2. Gordon

L. A.

& Loeb

M. P. (2002). The Economics of Information Security Investment. ACM Transactions on Information and System Security

5(4)

438–457. https://doi.org/10.1145/581271.581274

Page 440: The paper introduces an economic model for information security investment

stating

"The model shows how the optimal amount to invest in information security is an increasing function of the vulnerability of the information to security breaches." The entire premise is to provide a quantifiable

economic justification for security spending

which is the core of a CBA.

3. Van Oorschot

P. C. (2020). Computer Security and the Internet: Tools and Jewels. Springer.

Chapter 10

Section 10.2.2

Risk Analysis: This section discusses quantitative risk analysis

explaining that the goal is to assign monetary values to assets and the impact of threats. It notes that the results

such as the ALE

are used in a cost-benefit analysis to "justify the cost of countermeasures." This directly supports that the result of a CBA is justification.

Q: 6

A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with?

Options

Discussion

Luke Feb 14, 2026 9:32 am

Guessing D . Network always feels like a big risk for BCP even in a Tier 4, right?

Emma T. Feb 1, 2026 3:47 am

Option A. Not totally sure though, since D looks tempting at first if you don't factor in the Tier 4 redundancy. Network and power are handled by design, app failures aren't. If someone strongly feels it's D, let me know why.

Noah A. Feb 13, 2026 6:07 am

Yeah, it's A here. Tier 4 already handles power and network so app-level issues are what the BCP should focus on next.

Riley Feb 8, 2026 10:58 am

A tbh

Ravi O. Jan 25, 2026 6:31 pm

Leo X. Feb 6, 2026 4:51 am

Jack T. Jan 25, 2026 5:22 pm

Not convinced it's D. Tier 4 redundancy handles network and power so app failure (A) is a bigger BCP concern here.

ZoeQ Jan 31, 2026 1:37 am

A tbh. Tier 4 covers power and network very well, so application failure is the main thing left for BCP. D is a classic trap for those forgetting the redundancy piece. Seen this angle on practice too, but open if someone sees it different.

SteadyAnalyst6927 Feb 8, 2026 1:51 pm

Why would power or network matter if Tier 4 takes care of infra downtime?

Ravi Feb 4, 2026 11:11 pm

Pretty sure A. These CISSP questions make it sound like power or network would still matter, but Tier 4 handles infra redundancy. So app failure's the big BCP risk left, at least from all the similar exam reports I've seen.

Be respectful. No spam.

Correct Answer:

Explanation

A Tier 4 data center is defined by the Uptime Institute as having "Fault Tolerant Site Infrastructure." This means it has 2N+1 fully redundant infrastructure for power, cooling, and network connectivity, ensuring that a single, unplanned failure of any infrastructure component will not affect IT operations. Given that the physical infrastructure risks (power, network, and the environment for storage) are significantly mitigated by the Tier 4 design, the IT manager's focus in Business Continuity Planning (BCP) must shift to areas not covered by the facility's rating. Application failures—resulting from software bugs, flawed logic, data corruption, or misconfiguration—are independent of the physical infrastructure's resilience and thus represent a more prominent remaining risk.

References

1. Uptime Institute. (2021). Tier Standard: Topology. TUI3026E. Section 7.0

"Tier IV: Fault Tolerant Site Infrastructure

" states

"A Tier IV data center has multiple

independent

and physically isolated systems that each have redundant capacity components... A single failure of any equipment or distribution element will not impact the IT equipment." This standard focuses on power

cooling

and network as the core infrastructure components covered.

2. National Institute of Standards and Technology (NIST). (2010). Special Publication 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems. Page 11

Section 2.3

"Types of Disruptions." The guide categorizes disruptions

listing "System/Application Failure or Malfunction" separately from facility-level issues like "Disruption of Power" or "Disruption of Telecommunications." This highlights that application failure is a distinct concern from the infrastructure failures mitigated by a Tier 4 design.

3. Patterson

D. A. (2014). CS 162: Operating Systems and Systems Programming

Lecture 21: "Data Centers." University of California

Berkeley. The lecture notes discuss data center reliability

emphasizing that while top-tier data centers (like Tier 4) solve for power and cooling failures

failures still occur due to software bugs

operator error

and network issues within the software stack

which are outside the scope of the facility's physical tier rating.

Q: 7

HOTSPOT In the network design below, where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and authorized enterprise services?

Your Answer

Discussion

Emma R. Feb 11, 2026 2:00 am

Makes sense to go with LAN 4. DMZ segment is designed for less-trusted users and can restrict contractor access to only what’s needed. Official study guide and network architecture diagrams help clarify this setup, if you want to double-check.

Rowan V. Jan 28, 2026 5:06 am

LAN 4

Karan U. Feb 9, 2026 6:56 am

LAN 4. If guests need Internet but only select enterprise services, DMZ (LAN 4) minimizes risk to internal resources.

Karan M. Feb 1, 2026 11:45 am

Honestly these DMZ questions always feel a bit too textbooky, but LAN 4 is right here. It's the DMZ, so you get separation for contractors and can tightly control what they access-way better than risking it on a more internal segment. Only doubt is if the question wanted true internal trust, but that's not what it's asking.

Daniel X. Feb 6, 2026 11:39 am

LAN 4 (the DMZ) is the best spot for this WAP if contractors only need Internet and limited enterprise access. DMZ design keeps traffic from hitting internal resources directly, which lines up with least privilege. Pretty standard CISSP logic but open for debate if business needs were different!

Leo U. Feb 3, 2026 10:31 pm

LAN 4

Jordan O. Feb 5, 2026 8:43 pm

LAN 4

Zoe Q. Feb 5, 2026 10:47 pm

Nah, not LAN 3-LAN 4 is the DMZ, that's where you stick external or semi-trusted stuff like contractor WAPs. LAN 3 looks tempting but doesn't give the same isolation, seen this trip people up in practice.

Cameron S. Feb 10, 2026 4:28 am

LAN 4 is the best spot for the WAP since it's the DMZ. Keeps contractor traffic isolated from the real internal network but still lets them hit Internet and select services. Pretty sure that's what CISSP wants here, unless they're asking for full internal access (which isn't likely).

Quinn Feb 13, 2026 3:11 am

LAN 3
I'd pick LAN 3 since it's separated from the internal LAN but still on the inside perimeter, so it feels more secure than putting external users right into a DMZ. Not fully sure though, maybe there's something I'm missing about DMZ vs internal segmentation. Open to corrections if I'm off here.

Be respectful. No spam.

Correct Answer:

LAN 4

Explanation

The network segment labeled LAN 4 represents a Demilitarized Zone (DMZ), which is a perimeter network located between two firewalls. A DMZ is the most secure location to deploy services for less-trusted users, such as contractors, because it isolates their traffic from the highly secured internal network (LAN 2). Placing the Wireless Access Point (WAP) in the DMZ allows contractors to access the Internet through the external firewall while the internal firewall can enforce strict rules, granting access only to specific, authorized enterprise services. This architecture upholds the principle of least privilege and protects critical assets on the internal network, such as the Database Server in LAN 2.

References

Stallings, W. (2017). Network Security Essentials: Applications and Standards (6th ed.). Pearson.

Reference: Chapter 9, Section 9.2, "Firewall Configurations," particularly the discussion on the "Screened Subnet Firewall System" (p. 297, Figure 9.5c). This section details the dual-firewall architecture where the DMZ is the isolated network between an external and internal firewall, which is the standard design for securely hosting systems that require external access without exposing the internal network.

Zwicky, E. D., Cooper, S., & Chapman, D. B. (2000). Building Internet Firewalls (2nd ed.). O'Reilly & Associates.

Reference: Chapter 6, "Firewall Architectures," specifically the section on "Screened Subnet" (pp. 138-142). This source describes the screened subnet (DMZ) as the canonical solution for allowing access from the Internet to selected hosts while protecting the internal network. Placing a WAP for semi-trusted users in this zone is a direct application of this principle.

Cheswick, W. R., Bellovin, S. M., & Rubin, A. D. (2003). Firewalls and Internet Security: Repelling the Wily Hacker (2nd ed.). Addison-Wesley Professional.

Reference: Chapter 4, "Firewall-Friendly Protocols and the DMZ." The chapter explains that the purpose of a DMZ is to create a "neutral zone" for machines that need to be accessible from the outside but should not be trusted on the internal network. This concept directly applies to creating a network segment for contractors.

Q: 8

DRAG DROP Rank the Hypertext Transfer protocol (HTTP) authentication types shows below in order of relative strength. Drag the authentication type on the correct positions on the right according to strength from weakest to strongest.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Digest
Integrated Windows Authentication
Basic
Client Certificate

Discussion

ReeseL Jan 26, 2026 10:03 pm

Yeah, it's Basic then Digest then Integrated Windows Auth then Client Certificate.

Skyler P. Feb 8, 2026 12:33 pm

Basic -> Weakest, Digest -> Weak, Integrated Windows Auth -> Strong, Client Certificate -> Strongest

Aaron Feb 13, 2026 4:42 am

Basic → Weakest, Digest → Weak, Integrated Windows Auth → Strong, Client Certificate → Strongest

Luna M. Feb 7, 2026 4:20 am

Pretty sure Karan swapped Digest and Integrated Windows Auth. Integrated Windows Auth uses Kerberos or NTLMv2 which is stronger than Digest, which just hashes creds with MD5. So ordering should be: Basic, Digest, Integrated Windows Auth, Client Certificate. Trap here is thinking Digest is stronger than IWA.

Chris E. Feb 12, 2026 4:19 pm

Nice, that's the order I remember too: Basic, Digest, Integrated Windows Auth, then Client Certificate for strongest. No explanation needed here.

Zoe W. Feb 4, 2026 12:20 pm

Basic → Weakest, Digest → Weak, Integrated Windows Auth → Strong, Client Certificate → Strongest. That's the typical CISSP ranking.

Aaron V. Feb 12, 2026 6:28 pm

Same order I see in the official guide and most practice exams: Basic, Digest, Integrated Windows Authentication, then Client Certificate as strongest. If you check the exam outline or CISSP study books it matches up.

Jason W. Jan 29, 2026 6:56 am

Some folks miss that Digest is actually stronger than Basic but still not as robust as Integrated Windows Auth. So it's Basic -> Digest -> Integrated Windows Auth -> Client Certificate. If they ask about default configs, this order makes sense I think.

Vikram Y. Jan 25, 2026 11:29 am

I put Basic as Weakest, then Digest, Integrated Windows Auth, and Client Certificate as Strongest. That's because Basic just encodes creds, Digest is better but old hash, IWA uses Kerberos or NTLMv2 which is way stronger, and client certs are top tier due to PKI. Pretty sure that's what they want here. Agree?

Vikram Feb 8, 2026 7:01 pm

Basic → Weakest, Digest → Weak, Integrated Windows Auth → Strong, Client Certificate → Strongest. Had something like this in a mock. Order matches how each protocol handles credentials, with client certs always rated highest. Pretty sure about this but happy to hear other takes.

Be respectful. No spam.

Correct Answer:

Strength Weakest: C. Basic Weak: A. Digest Strong: B. Integrated Windows Authentication Strongest: D. Client Certificate

Explanation

This ranking is based on the security of how credentials are handled and the underlying cryptographic protocols.

Basic authentication is the weakest because it sends the username and password over the network in a plaintext-equivalent form (Base64 encoding), offering no confidentiality.
Digest authentication is an improvement, using a challenge-response protocol that avoids sending the password in the clear. However, it typically relies on the MD5 hashing algorithm, which is now considered cryptographically weak and vulnerable.
Integrated Windows Authentication (IWA) is strong as it leverages secure, ticket-based protocols like Kerberos or the NTLMv2 challenge-response mechanism. These protocols are designed to prove a user's identity without transmitting passwords across the network.
Client Certificate authentication is the strongest. It uses Public Key Infrastructure (PKI) for mutual authentication between the client and server. The client must possess a private key corresponding to its public certificate, providing a much higher level of identity assurance than password-based systems.

References

Internet Engineering Task Force (IETF). (2015). RFC 7617: The 'Basic' HTTP Authentication Scheme. Section 4: Security Considerations. This section explicitly states, "In the absence of a secure channel, the 'Basic' authentication scheme transmits credentials in the clear."

Internet Engineering Task Force (IETF). (2015). RFC 7616: HTTP Digest Access Authentication. Section 5: Security Considerations. This document discusses the advantages of Digest over Basic but notes its vulnerabilities, including the weakness of the default MD5 algorithm.

Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. In Chapter 20.3, "HTTPS," the text discusses client certificates as a strong authentication mechanism as part of TLS mutual authentication.

Microsoft Documentation. (2021). Integrated Windows Authentication. Microsoft Learn. This document details how IWA uses Kerberos and NTLM, stating, "With Integrated Windows authentication, user credentials aren't sent to the server." This inherent design makes it stronger than schemes that transmit credentials or their weak derivatives.

Q: 9

Which of the following management process allows ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?

Options

Discussion

Logan Feb 3, 2026 3:14 pm

Pretty sure A: is what I picked. Had a similar scenario in my exam last year, config mgmt covered disabling services and default password changes. Changing ongoing user creds would be more Identity. Pretty sure on this one but let me know if anyone disagrees.

Meera U. Feb 5, 2026 9:21 pm

A tbh. Restricting unnecessary services and setting baseline configs is classic config management, even with that password change mention. It's not Identity if we're just talking about changing defaults one time. Anyone see legit CISSP practice where this wasn't config mgmt?

Aisha J. Feb 8, 2026 12:21 pm

Not B, A. Changing default passwords might seem like identity, but limiting services and AV updates make config the right call. The identity trap gets people.

Leo T. Feb 1, 2026 4:22 am

Had something like this in a mock and I went with B. Changing default passwords felt like an identity management move, even though the other actions lean config. Might be overthinking it, but that's what I'd pick here-thoughts?

SeanZ Jan 30, 2026 4:28 am

Its A. Option B seems close but the disabling of services and pushing AV updates is way more config than identity. Not 100 percent sure since passwords come up, but all together these sound like secure configuration tasks. Disagree?

Leo Feb 10, 2026 10:33 am

D , unless changing defaults counts as config, then maybe A.

Rowan G. Jan 26, 2026 7:15 pm

Option A makes sense. Had something similar in my practice set and config was the answer, since restricting services and updating AV are config management basics. Not 100 percent sure with the password bit though, since that sometimes trips me up.

Ajay M. Feb 10, 2026 12:53 pm

A because it's all config management stuff: limiting services, default password changes and AV updates are classic CISSP secure baseline actions. Pretty sure that's what ISC2 is testing for here despite the password bit.

Owen O. Feb 5, 2026 12:42 pm

B. not A

Anita F. Feb 4, 2026 3:50 am

Be respectful. No spam.

Correct Answer:

Explanation

The activities described—allowing only necessary services (least functionality), changing default passwords, and configuring antivirus updates—are all core components of establishing and maintaining a secure system baseline. This process is known as secure Configuration Management. It involves hardening systems by defining, implementing, and enforcing a secure state to reduce the attack surface. These actions are not primarily about managing user identities, applying patches, or auditing for compliance, but rather about setting the system's configuration parameters to a known, secure standard.

References

1. NIST Special Publication 800-128

"Guide for Security-Focused Configuration Management of Information Systems." Section 2.1 defines Security-Focused Configuration Management (SecCM) as the management and control of configurations for an information system to enable security and manage risk. The activities listed in the question are examples of establishing a secure configuration baseline.

2. NIST Special Publication 800-53 Revision 5

"Security and Privacy Controls for Information Systems and Organizations." The Configuration Management (CM) control family directly addresses this. Specifically

control CM-7 "Least Functionality" requires the organization to configure systems to provide only essential capabilities

which includes disabling unnecessary services. Changing default passwords (IA-5) and configuring antivirus (SI-3) are also part of establishing a secure baseline configuration (CM-2).

3. Purdue University

"Information Security Policy (VII.B.2)." University policies on information security

often used in courseware

define configuration management as a key process. For example

Purdue's policy states that "System hardening and configuration management standards must be followed to protect University IT Resources from unauthorized access and misuse

" explicitly linking hardening activities to configuration management. (See Section on System Administration Practices).

Q: 10

DRAG DROP Match the name of access control model with its associated restriction. Drag each access control model to its appropriate restriction access on the right.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Mandatory Access Control
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule based access control

Discussion

Skyler C. Feb 7, 2026 10:45 am

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control over objects, RBAC → permissions by job function, Rule based → custodian criteria. Had something like this in a mock, looks solid.

Avery Q. Feb 3, 2026 3:50 am

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control over objects, RBAC → Dynamically assigns permissions to duties by job function, Rule based → Dynamically assigns roles using custodian criteria.

Ava Feb 1, 2026 2:14 am

Mandatory Access Control to end user cannot set controls, DAC to total control, RBAC to job function, Rule based to custodian criteria. That's how I see it lining up for CISSP. Pretty sure that's what the exam wants.

QuickEngineer7835 Feb 9, 2026 8:16 am

Yeah, the mapping goes: MAC to end user cannot set controls, DAC to total control, RBAC to job function, Rule based to custodian criteria. Matches how CISSP outlines each model. Pretty confident in this.

Jordan B. Feb 2, 2026 8:37 am

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control, RBAC → job function, Rule based → criteria. Just watch out: RBAC and Rule based get mixed up if you forget that roles are static in pure RBAC. Seen similar on practice tests.

Sanjay Q. Feb 10, 2026 2:49 pm

MAC to End user cannot set controls, DAC to total control, RBAC to job function, Rule based to custodian criteria.

Noah Feb 2, 2026 12:14 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control over objects, RBAC → job function duties, Rule based → custodian criteria. I don’t think Rule-based fits job function (common trap here).

ChloeT Feb 13, 2026 10:52 pm

Nah, RBAC actually matches to 'Dynamically assigns roles to subjects based on criteria' and Rule based goes with 'permissions by job function'.

Jordan Feb 9, 2026 1:55 pm

MAC → End user cannot set controls, DAC → Subject has total control over objects, RBAC → duty by job function, Rule based → custodian criteria. I mixed up the dynamic assignment wording at first, but pretty sure this fits standard CISSP definitions. If anyone thinks RBAC and Rule based should swap, chime in.

Emma G. Jan 28, 2026 8:54 am

Honestly, Rule based to job function and RBAC to custodian criteria always messes with me on these. So I mapped: MAC → End user cannot set controls, DAC → Subject has total control over objects, RBAC → custodian criteria, Rule based → job function. Seems close enough from some exam reports.

Be respectful. No spam.

Correct Answer:

Explanation

The matching is based on the defining characteristics of each access control model.

Mandatory Access Control (MAC) is a non-discretionary model where a central authority defines access policies based on security labels (e.g., clearance levels). The end user has no authority to change these system-enforced rules.
Discretionary Access Control (DAC) allows the owner (subject) of a resource (object) to determine the access permissions for other users at their discretion.
Role Based Access Control (RBAC) simplifies administration by grouping permissions into roles that correspond to job functions. Users are assigned roles, thereby acquiring the permissions associated with those duties.
Rule Based Access Control uses specific rules or policies that evaluate conditions (criteria) to grant or deny access. A sophisticated implementation of this model can dynamically assign roles to a subject if certain criteria, set by an administrator (custodian), are met.

References

For MAC and DAC: Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM, 17(7), 38-41. (In Section I.A.3, "Design Principles," the document contrasts centrally-managed, mandatory controls with schemes where individual users control access to their own data, which is the core of the MAC vs. DAC distinction). DOI: https://doi.org/10.1145/361011.361062

For RBAC: Ferraiolo, D. F., & Kuhn, D. R. (1992). Role-Based Access Control. Proceedings of the 15th National Computer Security Conference, (pp. 554-563). (This foundational paper defines RBAC as a method of restricting system access to authorized users based on their roles within an organization. Section 3, "The Model," explicitly links roles to job functions). Available via NIST: https://csrc.nist.gov/csrc/media/projects/role-based-access-control/documents/ferraiolo-kuhn-92.pdf

For Rule-Based/Attribute-Based Control: Hu, V. C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., & Scarfone, K. (2014). Guide to Attribute Based Access Control (ABAC) Definition and Considerations (NIST Special Publication 800-162). National Institute of Standards and Technology. (Section 2.1 defines ABAC, a modern form of rule-based control, as a model where rules evaluate attributes—or criteria—to make access decisions. This can include dynamically managing a subject's privileges or role memberships based on these attributes). DOI: https://doi.org/10.6028/NIST.SP.800-162

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE