View CISSP Exam Questions

Q: 1

DRAG DROP Match the name of access control model with its associated restriction. Drag each access control model to its appropriate restriction access on the right. ISC2 CISSP Exam Questions question

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Mandatory Access Control
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule based access control

Discussion

Piya B. Mar 12, 2026 8:56 am

Actually, it's MAC to end user cannot set controls, DAC to subject has total control, RBAC to permissions by job function, Rule-based to roles by custodian. Easy to flip RBAC and Rule-based if you go too fast. Pretty sure that's correct from similar exam questions.

Sean M. Mar 16, 2026 12:53 am

Ugh, this drag & drop wording is annoying, but it's MAC → end user cannot set controls, DAC → subject has total control over objects, RBAC → dynamically assigns permissions by job function, Rule-based → dynamically assigns roles by custodian criteria.

Ajay G. Mar 17, 2026 1:57 pm

Mandatory Access Control → End user cannot set controls, Discretionary Access Control → Subject has total control over objects, Role Based Access Control → Duties based on job function, Rule-based access control → Roles by custodian. That's how I've seen it lined up in most CISSP guides, fits what they're asking. Open to debate if anyone reads it differently.

Luna T. Mar 18, 2026 4:44 pm

I don’t think RBAC is total control, that’s DAC. Trap here is mixing up role and rule-based since the names are close. Should be: MAC → End user cannot set controls, DAC → Subject has total control, RBAC → Duties/jobs, Rule-based → Roles by custodian.

Priya E. Mar 20, 2026 11:47 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control over objects, RBAC → Duties based on job function, Rule-based → Roles by custodian. Pretty sure this matches textbook definitions, at least that's what most practice tests show. Correct me if I'm missing something.

Hannah P. Mar 20, 2026 9:55 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control, RBAC → Duties by job function, Rule-based → Roles by custodian. Nice clear mapping on this one.

Sara X. Mar 27, 2026 1:33 pm

Pretty classic CISSP drag-and-drop. I'd map it:
Mandatory Access Control → End user cannot set controls,
Discretionary Access Control (DAC) → Subject has total control over objects,
Role Based Access Control (RBAC) → Dynamically assigns permissions to particular duties based on job function,
Rule based access control → Dynamically assigns roles to subjects based on criteria assigned by a custodian.
I think that's spot-on for the way the terms are usually defined, though I know RBAC and Rule-based get mixed up sometimes if you're not watching the "dynamic" cue. Let me know if you see it different!

Ivy Mar 18, 2026 9:58 pm

Mandatory Access Control → End user cannot set controls, Discretionary Access Control → Subject has total control over objects, Role Based Access Control → Dynamically assigns permissions based on job function, Rule based access control → Dynamically assigns roles by custodian criteria. I've seen similar wording in CISSP practice, and there's a trap with swapping RBAC and Rule-based-easy to mix up. Pretty sure this mapping is correct but open to discussion if someone spots a nuance.

AmeliaD Mar 16, 2026 8:45 am

Totally agree with MAC to end user cannot set controls, DAC is subject has total control, RBAC ties permissions to job functions, and Rule-based is roles via custodian criteria. That's how most CISSP sources show it. Pretty confident but always open to another take if anyone sees it different.

Leo Mar 26, 2026 7:41 am

I see the confusion, but pretty sure it's MAC for end user can't set controls, DAC for subject has total control over objects, RBAC for job function duties, Rule-based for roles by custodian criteria. That's how official CISSP guides usually match them up. Correct me if you see it differently!

Be respectful. No spam.

Correct Answer:

Restrictions End user cannot set controls: A. Mandatory Access Control Subject has total control over objects: B. Discretionary Access Control (DAC) Dynamically assigns permissions to particular duties based on job function: C. Role Based Access Control (RBAC) Dynamically assigns roles to subjects based on criteria assigned by a custodian: D. Rule based access control

Explanation

The matching aligns each access control model with its defining characteristic.

Mandatory Access Control (MAC) is a centralized model where a system authority enforces access based on security labels (e.g., clearances and classifications). The owners or end users of objects do not have the authority to change these access rules.
Discretionary Access Control (DAC) is a decentralized model where the owner (a subject) of a resource (an object) has the discretion to grant or deny access to other subjects. This gives the subject total control over the objects they own.
Role Based Access Control (RBAC) simplifies administration by assigning permissions to roles that correspond to job functions. Users are then assigned to these roles, inheriting the associated permissions necessary for their duties.
Rule-based access control uses a set of configurable rules or criteria to make access decisions. The specific scenario described—dynamically assigning roles based on criteria—is a form of rule-based logic applied to an RBAC framework, often seen in modern identity management systems.

References

National Institute of Standards and Technology (NIST). (2017). NIST Special Publication 800-192: Verification and Test Methods for Access Control Policies/Models. Section 2.1, "Access Control Policies/Models Definitions". This document defines MAC as non-discretionary and DAC as allowing owners to specify access. DOI: https://doi.org/10.6028/NIST.SP.800-192

National Institute of Standards and Technology (NIST). (n.d.). Glossary: Role-Based Access Control. Computer Security Resource Center. Retrieved from https://csrc.nist.gov/glossary/term/role_based_access_control. This source defines RBAC as being "based on user roles...Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization."

Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. Chapter 4, "Access Control". This textbook provides foundational academic descriptions, explaining that with DAC, "an entity may be granted access rights that enable the entity, by its own volition, to enable another entity to access some resource" (p. 116), whereas with MAC, controls are "not subject to the object owner's discretion" (p. 120).

Hu, V. C., Ferraiolo, D., Kuhn, R., Friedman, A. R., Lang, A. J., et al. (2013). Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800-162. Section 2.3.4 discusses how ABAC (a form of rule-based control) can be used to implement dynamic role assignment, stating, "In some cases the subject's assigned role...may be determined dynamically from subject attributes." This directly supports the match for rule-based access control. DOI: https://doi.org/10.6028/NIST.SP.800-162

Q: 2

Which of the following value comparisons MOST accurately reflects the agile development approach?

Options

Discussion

MayaE Mar 13, 2026 4:18 am

D fits best here. Agile is about delivering working software and not getting bogged down in heavy documentation. The other options flip the agile values, so pretty sure D is correct but open to other thoughts if I missed something.

Ravi Mar 16, 2026 8:56 am

I don’t think it’s D this time. C, since following a plan is super emphasized in most project methodologies, and Agile doesn’t ignore planning either. D feels too textbook, but I might be overthinking.

HelpfulSec3289 Mar 29, 2026 12:39 pm

C/D? Both get picked sometimes but I'm saying D. That's the straight-up Agile Manifesto wording.

AveryI Mar 21, 2026 9:04 pm

D
Agile puts working software above comprehensive docs, per the Agile Manifesto. The other options flip agile values around, which isn't accurate. Pretty sure it's D, but open to other takes.

Parker G. Mar 28, 2026 12:23 am

Nah, C's tempting but the trap is thinking Agile is plan-heavy like waterfall. D

Arjun M. Mar 27, 2026 10:15 am

D, working software is what Agile really pushes for based on the manifesto. Not 100 percent but pretty sure. Disagree?

Adam G. Mar 20, 2026 2:17 am

D , Agile's core value is delivering working software, not getting buried in documentation. C is kind of a trap since Agile actually prefers adapting over strict plans. Pretty sure about D but open if someone thinks otherwise.

NehaK Mar 31, 2026 9:22 am

C , since planning is huge in dev projects. I know Agile values adaptability, but following a plan seems more accurate if you consider how teams actually try to structure sprints. D feels a bit too obvious a trap here. Could be wrong though.

Taylor Mar 15, 2026 10:20 pm

D , that's the closest match to Agile's actual values.

CalmTester4695 Mar 17, 2026 7:18 pm

D imo, that's straight from the Agile Manifesto-working software prioritized over docs every time.

Be respectful. No spam.

Q: 3

A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?

Options

Discussion

Casey Mar 26, 2026 2:49 am

A. saw a similar question in a practice set and deployment is all about getting those tools in place.

Aaron Mar 14, 2026 7:30 am

Option A, but if the org had pre-approved tech and skipped procurement, this could shift.

Zoe N. Mar 30, 2026 6:57 am

A tbh. D looks tempting but training usually follows after the tech is actually in place so watch for that trap.

Jason C. Mar 18, 2026 5:27 pm

A (not D), . Deployment is mostly about getting the right tools in place, training usually happens after. D can be a trap if you mix up rollout steps, at least in CISSP context.

MorganJ Mar 20, 2026 6:28 am

Seriously wish ISC2 would make these deployment phase definitions less fuzzy. A

Liam Mar 31, 2026 4:32 pm

Ugh, ISC2 always overcomplicates with their phases. A

ChrisH Mar 28, 2026 10:01 pm

C or D. I remember seeing a similar exam question where measuring effectiveness (C) was treated like a deployment metric, since you need to validate things are set up right. But D training stakeholders also feels like it fits the rollout piece. Not totally sure which ISC2 expects here, anyone else see this?

PreciseEngineer4320 Mar 27, 2026 2:12 pm

Makes sense to me, this phase is about getting the tech in place so it's A.

Ishaan H. Mar 14, 2026 5:26 am

A is the best fit for what deployment means in CISSP context, since it’s about getting the actual tools and systems in place. Training stakeholders (D) usually comes later once the supporting tech is running. Pretty sure about this one, but let me know if you see it differently.

PreciseAuditor4426 Mar 26, 2026 11:15 am

ISC2 loves making deployment phase stuff confusing, but A imo.

Be respectful. No spam.

Correct Answer:

Explanation

The deployment phase of establishing a vulnerability management program focuses on implementing the designed program and making it operational. A fundamental task in this phase is to select, procure, and configure the necessary supporting technologies, such as vulnerability scanners, patch management systems, and ticketing systems. These tools form the technical foundation of the program, and their deployment is a prerequisite for subsequent operational activities like scanning, analysis, and remediation.

References

1. Carnegie Mellon University

Software Engineering Institute (CMU/SEI). In the technical note "A Framework for a Vulnerability Management Program

" the authors state

"The selection of tools is a critical step in the implementation of a vulnerability management program." The deployment phase is synonymous with the implementation phase

where the planned program is put into action.

Source: Alberts

& Dorofee

A. (2005). A Framework for a Vulnerability Management Program (CMU/SEI-2005-TN-028). Carnegie Mellon University. (See Section 3.3

"Tool Selection").

2. NIST Special Publication 800-100

"Information Security Handbook: A Guide for Managers." This guide outlines the information security program life cycle

which includes initiation

development/acquisition

implementation

operation/maintenance

and disposal. The selection and procurement of technologies fall squarely within the "development/acquisition" phase

which directly precedes the "implementation" (or deployment) phase. In the context of establishing a new program

these are often grouped as deployment activities.

Source: NIST SP 800-100

Chapter 3

"Information Security Program Management

" Section 3.3

"Information Security Program Life Cycle."

3. University of California

Berkeley

Information Security Office. Courseware and guidance on establishing security programs consistently place budgeting and charter development in the initial "Strategy & Plan" phase

while tool acquisition and implementation occur in the "Build/Deploy" phase. Measuring metrics occurs in the final "Measure & Improve" phase.

Source: UC Berkeley Security

"Vulnerability Management Program

" Program Development Lifecycle documentation. (Illustrates the standard phased approach to program creation).

Q: 4

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

Options

Discussion

Arjun Mar 26, 2026 8:39 am

D. Security requirements have to be set right after business analysis and data categorization, not later in SDLC. If you wait until after vulnerability analysis or design phases, it's too late to integrate them fully.

MethodicalNeteng4453 Mar 30, 2026 6:45 am

Its D, not B. Vulnerability analysis comes after, trap for people mixing up SDLC order.

Liam X. Mar 26, 2026 7:22 am

Priya G. Mar 18, 2026 4:42 am

Kind of leaning toward B. Seems like you should lock down requirements right after vulnerability analysis is done.

Aisha K. Mar 12, 2026 4:32 am

Its D. Saw a similar question in some practice sets and D matched the official CISSP approach for when security requirements should be set.

Chloe Mar 21, 2026 10:17 pm

Not B, D. Vulnerability analysis is later in the SDLC so B is a common trap here.

Aaron Mar 11, 2026 3:19 pm

No way it's B, D is right. Security functional requirements come after business analysis and data categorization, not after vulnerability analysis.

MiaF Mar 29, 2026 3:07 am

I don’t see how B fits since vulnerability analysis happens after requirements are set, not before. Security functional requirements need both the business analysis and knowing your data’s sensitivity, so D is the right sequence. Could be a tricky one if you miss that order.

Sara Q. Mar 23, 2026 4:18 am

Option B. Requirements usually get clearer after vulnerability checks but before detailed design.

Sam D. Mar 25, 2026 2:50 pm

I don't think it's B. D is correct here because vulnerability analysis comes a bit later in the SDLC, and CISSP usually expects security requirements to be set once business functions and data categorization are clear. B is a trap since it jumps ahead. Wouldn't surprise me if some practice sets tripped folks up on this one.

Be respectful. No spam.

Correct Answer:

Explanation

Software security functional requirements must be defined early in the Software Development Life Cycle (SDLC) to ensure security is built-in, not bolted on. This process logically follows the initial analysis of the system's purpose and the data it will handle. First, the business functional analysis determines what the system needs to do. Second, data security categorization (e.g., per FIPS 199) assesses the sensitivity of the information being processed. Only after understanding both the system's function and the data's value can appropriate and specific security requirements (e.g., access controls, encryption levels) be defined. This "shift left" approach is fundamental to secure systems engineering.

References

1. NIST Special Publication 800-64 Revision 2

Security Considerations in the System Development Life Cycle.

Section 2.1

Initiation Phase: This section states

"During the Initiation Phase

the need for a system is expressed and the purpose of the system is documented... Security requirements should be identified and discussed at this early stage." It explicitly links the initial business need and the security categorization (based on FIPS 199) as precursors to defining these requirements.

2. NIST Special Publication 800-160 Volume 1

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

Section 2.3.2

Stakeholder Needs and Requirements Definition Process: This section describes the process to "define the stakeholder requirements for a system." It emphasizes that this occurs at the beginning of the life cycle to capture all needs

including security

which are derived from the business or mission objectives and the required level of protection for assets.

3. Federal Information Processing Standards Publication (FIPS) 199

Standards for Security Categorization of Federal Information and Information Systems.

Section 3

Categorizing Information and Information Systems: This standard establishes the importance of categorizing information based on confidentiality

integrity

and availability impacts. This categorization is a foundational step in the risk management process and directly informs the selection of security controls and requirements early in the SDLC.

Q: 5

What does the result of Cost-Benefit Analysis (C8A) on new security initiatives provide?

Options

Discussion

Sara U. Mar 26, 2026 3:06 pm

Doesn't CBA just create a justification for management, not actual acceptance like D?

Jason P. Mar 12, 2026 6:07 am

Its A. Cost-Benefit Analysis gives you quantifiable justification for security spending, not formalized acceptance like D. That trap always comes up on CISSP stuff but the CBA itself only gives numbers/data to help management decide. Pretty sure about this, but let me know if I'm missing something.

Piya Mar 19, 2026 3:26 pm

D is a distractor, not what CBA produces. It should be A but open to other views if I'm off.

CuriousAuditor3621 Mar 18, 2026 2:53 am

I see why some pick D for formal acceptance, but the CBA itself doesn't decide anything, it just delivers numbers and justification for decision makers. So I'd say A makes more sense because that's what CBA actually produces. Still a little unsure if I'm overthinking the wording, agree?

Ajay G. Mar 23, 2026 2:42 pm

A , this matches what the official guide stresses and I’ve seen similar in practice exams.

Noah Mar 19, 2026 6:53 pm

Its A. D trips people up but CBA's output is just quantifiable justification, not the formal acceptance step.

Arjun X. Mar 29, 2026 3:19 am

A , similar question was on my last practice set and it was always about quantifiable justification.

Anita Mar 12, 2026 10:27 pm

A makes the most sense here. Cost-Benefit Analysis is all about showing management a clear, financial reason to approve (or reject) a security investment-so it's the quantifiable justification they're after. Risk evaluation (C) is part of doing the CBA but not what gets delivered at the end. Pretty sure A is right, but open to other views if I'm missing something.

Ajay G. Mar 27, 2026 11:35 pm

Pretty sure A, that's what the official study guide and main exam practice sources say too.

Neha I. Mar 11, 2026 4:23 pm

I get why folks are thinking C here. Risk evaluation is definitely part of the process, since you have to know your risks before doing a CBA. So I'd pick C too, since the analysis ends up tying security investments back to risk levels. Might be missing the focus on justifying with numbers though. Anyone got a different take?

Be respectful. No spam.

Correct Answer:

Explanation

A Cost-Benefit Analysis (CBA) is a fundamental financial process used in risk management to evaluate the viability of a security initiative. It directly compares the monetary cost of implementing and maintaining a control against its projected financial benefit. This benefit is typically measured as the reduction in risk, often quantified by the decrease in the Annualized Loss Expectancy (ALE). The final output of a CBA is a data-driven, financial argument (e.g., Return on Security Investment - ROSI) that provides a quantifiable justification for management to decide whether to approve the expenditure. It translates a technical security requirement into a business-centric financial decision.

References

1. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30

Revision 1).

Section 3.3.3

Analysis of Alternatives: This section describes the process of evaluating different courses of action for risk response. It states that organizations should "evaluate the relative advantages and disadvantages (e.g.

effectiveness

feasibility

cost-benefit) of the alternative courses of action." This highlights that the CBA is the tool for providing a justifiable comparison.

2. Gordon

L. A.

& Loeb

M. P. (2002). The Economics of Information Security Investment. ACM Transactions on Information and System Security

5(4)

438–457. https://doi.org/10.1145/581271.581274

Page 440: The paper introduces an economic model for information security investment

stating

"The model shows how the optimal amount to invest in information security is an increasing function of the vulnerability of the information to security breaches." The entire premise is to provide a quantifiable

economic justification for security spending

which is the core of a CBA.

3. Van Oorschot

P. C. (2020). Computer Security and the Internet: Tools and Jewels. Springer.

Chapter 10

Section 10.2.2

Risk Analysis: This section discusses quantitative risk analysis

explaining that the goal is to assign monetary values to assets and the impact of threats. It notes that the results

such as the ALE

are used in a cost-benefit analysis to "justify the cost of countermeasures." This directly supports that the result of a CBA is justification.

Q: 6

A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with?

Options

Discussion

Luke Mar 26, 2026 7:39 am

A , but for stuff like this it's worth reviewing the official CISSP study guide and some practice questions too.

Ben X. Mar 15, 2026 1:50 pm

Luke Mar 31, 2026 6:58 pm

Guessing D . Network always feels like a big risk for BCP even in a Tier 4, right?

Emma T. Mar 18, 2026 1:12 pm

Option A. Not totally sure though, since D looks tempting at first if you don't factor in the Tier 4 redundancy. Network and power are handled by design, app failures aren't. If someone strongly feels it's D, let me know why.

Noah A. Mar 30, 2026 3:33 pm

Yeah, it's A here. Tier 4 already handles power and network so app-level issues are what the BCP should focus on next.

Hannah A. Mar 20, 2026 10:21 pm

C/D? Had something like this in a mock, picked network since even Tier 4 can’t fully guarantee connectivity.

Olivia I. Mar 13, 2026 4:20 am

Option A but I get why some say D since network issues are always a pain for BCP. I think Tier 4 covers infra so app failures stand out more, but not totally sure.

Robin F. Mar 15, 2026 5:28 pm

Network or Application, so annoying how CISSP throws these. For Tier 4, infra stuff like power/network is super redundant, so application (A) is the bigger wild card. Pretty sure that’s what they’re getting at here, but correct me if I’m missing something.

Riley Mar 25, 2026 8:23 pm

A tbh

Ravi O. Mar 12, 2026 3:56 am

Be respectful. No spam.

Correct Answer:

Explanation

A Tier 4 data center is defined by the Uptime Institute as having "Fault Tolerant Site Infrastructure." This means it has 2N+1 fully redundant infrastructure for power, cooling, and network connectivity, ensuring that a single, unplanned failure of any infrastructure component will not affect IT operations. Given that the physical infrastructure risks (power, network, and the environment for storage) are significantly mitigated by the Tier 4 design, the IT manager's focus in Business Continuity Planning (BCP) must shift to areas not covered by the facility's rating. Application failures—resulting from software bugs, flawed logic, data corruption, or misconfiguration—are independent of the physical infrastructure's resilience and thus represent a more prominent remaining risk.

References

1. Uptime Institute. (2021). Tier Standard: Topology. TUI3026E. Section 7.0

"Tier IV: Fault Tolerant Site Infrastructure

" states

"A Tier IV data center has multiple

independent

and physically isolated systems that each have redundant capacity components... A single failure of any equipment or distribution element will not impact the IT equipment." This standard focuses on power

cooling

and network as the core infrastructure components covered.

2. National Institute of Standards and Technology (NIST). (2010). Special Publication 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems. Page 11

Section 2.3

"Types of Disruptions." The guide categorizes disruptions

listing "System/Application Failure or Malfunction" separately from facility-level issues like "Disruption of Power" or "Disruption of Telecommunications." This highlights that application failure is a distinct concern from the infrastructure failures mitigated by a Tier 4 design.

3. Patterson

D. A. (2014). CS 162: Operating Systems and Systems Programming

Lecture 21: "Data Centers." University of California

Berkeley. The lecture notes discuss data center reliability

emphasizing that while top-tier data centers (like Tier 4) solve for power and cooling failures

failures still occur due to software bugs

operator error

and network issues within the software stack

which are outside the scope of the facility's physical tier rating.

Q: 7

HOTSPOT In the network design below, where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and authorized enterprise services?

Your Answer

Discussion

Emma R. Mar 28, 2026 10:52 am

Makes sense to go with LAN 4. DMZ segment is designed for less-trusted users and can restrict contractor access to only what’s needed. Official study guide and network architecture diagrams help clarify this setup, if you want to double-check.

Rowan V. Mar 14, 2026 2:31 pm

LAN 4

Karan U. Mar 26, 2026 4:21 pm

LAN 4. If guests need Internet but only select enterprise services, DMZ (LAN 4) minimizes risk to internal resources.

Karan M. Mar 18, 2026 9:10 pm

Honestly these DMZ questions always feel a bit too textbooky, but LAN 4 is right here. It's the DMZ, so you get separation for contractors and can tightly control what they access-way better than risking it on a more internal segment. Only doubt is if the question wanted true internal trust, but that's not what it's asking.

Daniel X. Mar 23, 2026 9:04 pm

LAN 4 (the DMZ) is the best spot for this WAP if contractors only need Internet and limited enterprise access. DMZ design keeps traffic from hitting internal resources directly, which lines up with least privilege. Pretty standard CISSP logic but open for debate if business needs were different!

Leo U. Mar 21, 2026 7:56 am

LAN 4

Jordan O. Mar 23, 2026 6:08 am

LAN 4

FocusedReviewer6631 Mar 17, 2026 2:53 am

LAN 4 here. Pretty sure that's the DMZ so it keeps contractor traffic isolated from the main internal LAN. Unless I'm reading the diagram wrong, DMZ is usually the spot for this use case.

FocusedNeteng773 Mar 23, 2026 6:50 pm

Yeah, LAN 4 for sure.

Owen Z. Mar 27, 2026 5:48 am

LAN 4, saw a similar question in exam dumps-DMZ is always the safest bet for contractor WAPs.

Be respectful. No spam.

Correct Answer:

LAN 4

Explanation

The network segment labeled LAN 4 represents a Demilitarized Zone (DMZ), which is a perimeter network located between two firewalls. A DMZ is the most secure location to deploy services for less-trusted users, such as contractors, because it isolates their traffic from the highly secured internal network (LAN 2). Placing the Wireless Access Point (WAP) in the DMZ allows contractors to access the Internet through the external firewall while the internal firewall can enforce strict rules, granting access only to specific, authorized enterprise services. This architecture upholds the principle of least privilege and protects critical assets on the internal network, such as the Database Server in LAN 2.

References

Stallings, W. (2017). Network Security Essentials: Applications and Standards (6th ed.). Pearson.

Reference: Chapter 9, Section 9.2, "Firewall Configurations," particularly the discussion on the "Screened Subnet Firewall System" (p. 297, Figure 9.5c). This section details the dual-firewall architecture where the DMZ is the isolated network between an external and internal firewall, which is the standard design for securely hosting systems that require external access without exposing the internal network.

Zwicky, E. D., Cooper, S., & Chapman, D. B. (2000). Building Internet Firewalls (2nd ed.). O'Reilly & Associates.

Reference: Chapter 6, "Firewall Architectures," specifically the section on "Screened Subnet" (pp. 138-142). This source describes the screened subnet (DMZ) as the canonical solution for allowing access from the Internet to selected hosts while protecting the internal network. Placing a WAP for semi-trusted users in this zone is a direct application of this principle.

Cheswick, W. R., Bellovin, S. M., & Rubin, A. D. (2003). Firewalls and Internet Security: Repelling the Wily Hacker (2nd ed.). Addison-Wesley Professional.

Reference: Chapter 4, "Firewall-Friendly Protocols and the DMZ." The chapter explains that the purpose of a DMZ is to create a "neutral zone" for machines that need to be accessible from the outside but should not be trusted on the internal network. This concept directly applies to creating a network segment for contractors.

Q: 8

DRAG DROP Rank the Hypertext Transfer protocol (HTTP) authentication types shows below in order of relative strength. Drag the authentication type on the correct positions on the right according to strength from weakest to strongest.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Digest
Integrated Windows Authentication
Basic
Client Certificate

Discussion

ReeseL Mar 13, 2026 7:28 am

Yeah, it's Basic then Digest then Integrated Windows Auth then Client Certificate.

Skyler P. Mar 25, 2026 9:58 pm

Basic -> Weakest, Digest -> Weak, Integrated Windows Auth -> Strong, Client Certificate -> Strongest

Riley M. Mar 17, 2026 8:26 pm

Looks right to me based on the CISSP official guide and most practice tests. Basic is weakest, then Digest, IWA (Kerberos/NTLMv2) is stronger, and Client Certificate tops the list. If you want to double-check, the official CBK covers this mapping clearly.

Basic → Weakest
Digest → Weak
Integrated Windows Authentication → Strong
Client Certificate → Strongest

Aaron Mar 30, 2026 2:07 pm

Basic → Weakest, Digest → Weak, Integrated Windows Auth → Strong, Client Certificate → Strongest

Luna M. Mar 24, 2026 1:45 pm

Pretty sure Karan swapped Digest and Integrated Windows Auth. Integrated Windows Auth uses Kerberos or NTLMv2 which is stronger than Digest, which just hashes creds with MD5. So ordering should be: Basic, Digest, Integrated Windows Auth, Client Certificate. Trap here is thinking Digest is stronger than IWA.

Chris E. Mar 30, 2026 1:44 am

Nice, that's the order I remember too: Basic, Digest, Integrated Windows Auth, then Client Certificate for strongest. No explanation needed here.

Zoe W. Mar 21, 2026 9:45 pm

Basic → Weakest, Digest → Weak, Integrated Windows Auth → Strong, Client Certificate → Strongest. That's the typical CISSP ranking.

Aaron V. Mar 29, 2026 4:10 pm

Same order I see in the official guide and most practice exams: Basic, Digest, Integrated Windows Authentication, then Client Certificate as strongest. If you check the exam outline or CISSP study books it matches up.

Jason W. Mar 15, 2026 4:21 pm

Some folks miss that Digest is actually stronger than Basic but still not as robust as Integrated Windows Auth. So it's Basic -> Digest -> Integrated Windows Auth -> Client Certificate. If they ask about default configs, this order makes sense I think.

Maya F. Mar 26, 2026 4:13 pm

I see why everyone orders it Basic, Digest, IWA, Client Certificate. Base64 for Basic is barely anything, Digest does add a hash but MD5 isn't great these days. IWA using Kerberos or NTLMv2 is definitely stronger, PKI certs top it all off. Pretty sure this matches CISSP intent unless they're asking about legacy only.

Be respectful. No spam.

Correct Answer:

Strength Weakest: C. Basic Weak: A. Digest Strong: B. Integrated Windows Authentication Strongest: D. Client Certificate

Explanation

This ranking is based on the security of how credentials are handled and the underlying cryptographic protocols.

Basic authentication is the weakest because it sends the username and password over the network in a plaintext-equivalent form (Base64 encoding), offering no confidentiality.
Digest authentication is an improvement, using a challenge-response protocol that avoids sending the password in the clear. However, it typically relies on the MD5 hashing algorithm, which is now considered cryptographically weak and vulnerable.
Integrated Windows Authentication (IWA) is strong as it leverages secure, ticket-based protocols like Kerberos or the NTLMv2 challenge-response mechanism. These protocols are designed to prove a user's identity without transmitting passwords across the network.
Client Certificate authentication is the strongest. It uses Public Key Infrastructure (PKI) for mutual authentication between the client and server. The client must possess a private key corresponding to its public certificate, providing a much higher level of identity assurance than password-based systems.

References

Internet Engineering Task Force (IETF). (2015). RFC 7617: The 'Basic' HTTP Authentication Scheme. Section 4: Security Considerations. This section explicitly states, "In the absence of a secure channel, the 'Basic' authentication scheme transmits credentials in the clear."

Internet Engineering Task Force (IETF). (2015). RFC 7616: HTTP Digest Access Authentication. Section 5: Security Considerations. This document discusses the advantages of Digest over Basic but notes its vulnerabilities, including the weakness of the default MD5 algorithm.

Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. In Chapter 20.3, "HTTPS," the text discusses client certificates as a strong authentication mechanism as part of TLS mutual authentication.

Microsoft Documentation. (2021). Integrated Windows Authentication. Microsoft Learn. This document details how IWA uses Kerberos and NTLM, stating, "With Integrated Windows authentication, user credentials aren't sent to the server." This inherent design makes it stronger than schemes that transmit credentials or their weak derivatives.

Q: 9

Which of the following management process allows ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?

Options

Discussion

Ben R. Mar 14, 2026 5:09 am

Ava Mar 30, 2026 2:22 am

Maybe D . Patch management can sometimes include disabling services and forcing AV updates too, so A feels like a trap.

IshaanW Mar 30, 2026 2:46 am

Option D. since patching also handles updates and sometimes disables services by default. A is a trap here.

Logan Mar 21, 2026 12:39 am

Pretty sure A: is what I picked. Had a similar scenario in my exam last year, config mgmt covered disabling services and default password changes. Changing ongoing user creds would be more Identity. Pretty sure on this one but let me know if anyone disagrees.

Meera U. Mar 23, 2026 6:46 am

A tbh. Restricting unnecessary services and setting baseline configs is classic config management, even with that password change mention. It's not Identity if we're just talking about changing defaults one time. Anyone see legit CISSP practice where this wasn't config mgmt?

Aisha J. Mar 25, 2026 9:46 pm

Not B, A. Changing default passwords might seem like identity, but limiting services and AV updates make config the right call. The identity trap gets people.

Leo T. Mar 18, 2026 1:48 pm

Had something like this in a mock and I went with B. Changing default passwords felt like an identity management move, even though the other actions lean config. Might be overthinking it, but that's what I'd pick here-thoughts?

SeanZ Mar 16, 2026 1:53 pm

Its A. Option B seems close but the disabling of services and pushing AV updates is way more config than identity. Not 100 percent sure since passwords come up, but all together these sound like secure configuration tasks. Disagree?

Casey U. Mar 26, 2026 9:36 pm

Its A for sure, config management handles limiting services and changing default passwords. Patch is mostly just updates, not initial hardening. Pretty confident here but open if someone sees it differently.

Reese B. Mar 25, 2026 4:39 am

Its A, not D. Patch management is more about updates, but "only those services" is config management all the way.

Be respectful. No spam.

Correct Answer:

Explanation

The activities described—allowing only necessary services (least functionality), changing default passwords, and configuring antivirus updates—are all core components of establishing and maintaining a secure system baseline. This process is known as secure Configuration Management. It involves hardening systems by defining, implementing, and enforcing a secure state to reduce the attack surface. These actions are not primarily about managing user identities, applying patches, or auditing for compliance, but rather about setting the system's configuration parameters to a known, secure standard.

References

1. NIST Special Publication 800-128

"Guide for Security-Focused Configuration Management of Information Systems." Section 2.1 defines Security-Focused Configuration Management (SecCM) as the management and control of configurations for an information system to enable security and manage risk. The activities listed in the question are examples of establishing a secure configuration baseline.

2. NIST Special Publication 800-53 Revision 5

"Security and Privacy Controls for Information Systems and Organizations." The Configuration Management (CM) control family directly addresses this. Specifically

control CM-7 "Least Functionality" requires the organization to configure systems to provide only essential capabilities

which includes disabling unnecessary services. Changing default passwords (IA-5) and configuring antivirus (SI-3) are also part of establishing a secure baseline configuration (CM-2).

3. Purdue University

"Information Security Policy (VII.B.2)." University policies on information security

often used in courseware

define configuration management as a key process. For example

Purdue's policy states that "System hardening and configuration management standards must be followed to protect University IT Resources from unauthorized access and misuse

" explicitly linking hardening activities to configuration management. (See Section on System Administration Practices).

Q: 10

DRAG DROP Match the name of access control model with its associated restriction. Drag each access control model to its appropriate restriction access on the right.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Mandatory Access Control
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule based access control

Discussion

Ishaan C. Mar 19, 2026 2:11 am

Got the same matches as in the official practice test:
Mandatory Access Control → End user cannot set controls
Discretionary Access Control (DAC) → Subject has total control over objects
Role Based Access Control (RBAC) → Dynamically assigns permissions to duties by job function
Rule based access control → Dynamically assigns roles based on custodian criteria.
Quick check in the ISC2 guide confirmed this layout. Pretty standard, but wording can trip you up if you're not careful.

Zoe T. Mar 15, 2026 10:51 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control over objects, RBAC → Dynamically assigns permissions by job function, Rule based → Dynamically assigns roles to subjects by custodian criteria. Had something similar in a mock and this pairing matched exactly. Pretty sure this is the standard CISSP mapping.

Cameron Z. Mar 13, 2026 2:10 am

These wording twists always mess people up, classic CISSP. The mapping should be:

Mandatory Access Control → End user cannot set controls
Discretionary Access Control (DAC) → Subject has total control over objects
Role Based Access Control (RBAC) → Dynamically assigns permissions by job function
Rule based access control → Dynamically assigns roles to subjects based on criteria assigned by a custodian

I think that's textbook, though with ISC2 sometimes it's all about the exact phrasing. Anyone disagree?

Skyler C. Mar 24, 2026 8:10 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control over objects, RBAC → permissions by job function, Rule based → custodian criteria. Had something like this in a mock, looks solid.

Avery Q. Mar 20, 2026 1:15 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control over objects, RBAC → Dynamically assigns permissions to duties by job function, Rule based → Dynamically assigns roles using custodian criteria.

Ava Mar 18, 2026 11:39 am

Mandatory Access Control to end user cannot set controls, DAC to total control, RBAC to job function, Rule based to custodian criteria. That's how I see it lining up for CISSP. Pretty sure that's what the exam wants.

QuickEngineer7835 Mar 26, 2026 5:41 pm

Yeah, the mapping goes: MAC to end user cannot set controls, DAC to total control, RBAC to job function, Rule based to custodian criteria. Matches how CISSP outlines each model. Pretty confident in this.

Jordan B. Mar 19, 2026 6:02 pm

Mandatory Access Control → End user cannot set controls, DAC → Subject has total control, RBAC → job function, Rule based → criteria. Just watch out: RBAC and Rule based get mixed up if you forget that roles are static in pure RBAC. Seen similar on practice tests.

Sanjay Q. Mar 28, 2026 12:14 am

MAC to End user cannot set controls, DAC to total control, RBAC to job function, Rule based to custodian criteria.

Leo C. Mar 20, 2026 3:06 am

RBAC to custodian criteria, Rule based to job function. That's how I matched them.

Be respectful. No spam.

Correct Answer:

Explanation

The matching is based on the defining characteristics of each access control model.

Mandatory Access Control (MAC) is a non-discretionary model where a central authority defines access policies based on security labels (e.g., clearance levels). The end user has no authority to change these system-enforced rules.
Discretionary Access Control (DAC) allows the owner (subject) of a resource (object) to determine the access permissions for other users at their discretion.
Role Based Access Control (RBAC) simplifies administration by grouping permissions into roles that correspond to job functions. Users are assigned roles, thereby acquiring the permissions associated with those duties.
Rule Based Access Control uses specific rules or policies that evaluate conditions (criteria) to grant or deny access. A sophisticated implementation of this model can dynamically assign roles to a subject if certain criteria, set by an administrator (custodian), are met.

References

For MAC and DAC: Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM, 17(7), 38-41. (In Section I.A.3, "Design Principles," the document contrasts centrally-managed, mandatory controls with schemes where individual users control access to their own data, which is the core of the MAC vs. DAC distinction). DOI: https://doi.org/10.1145/361011.361062

For RBAC: Ferraiolo, D. F., & Kuhn, D. R. (1992). Role-Based Access Control. Proceedings of the 15th National Computer Security Conference, (pp. 554-563). (This foundational paper defines RBAC as a method of restricting system access to authorized users based on their roles within an organization. Section 3, "The Model," explicitly links roles to job functions). Available via NIST: https://csrc.nist.gov/csrc/media/projects/role-based-access-control/documents/ferraiolo-kuhn-92.pdf

For Rule-Based/Attribute-Based Control: Hu, V. C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., & Scarfone, K. (2014). Guide to Attribute Based Access Control (ABAC) Definition and Considerations (NIST Special Publication 800-162). National Institute of Standards and Technology. (Section 2.1 defines ABAC, a modern form of rule-based control, as a model where rules evaluate attributes—or criteria—to make access decisions. This can include dynamically managing a subject's privileges or role memberships based on these attributes). DOI: https://doi.org/10.6028/NIST.SP.800-162

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE