Free CISSP Practice Test

ISC2 CISSP Free Exam Questions

Disclaimer

Please keep a note that the demo questions are not frequently updated. You may as well find them in open communities around the web. However, this demo is only to depict what sort of questions you may find in our original files.

Nonetheless, the premium exam dumps files are frequently updated and are based on the latest exam syllabus and real exam questions.

1 / 60

An organization would like to implement an authorization mechanism that would simplify the assignment of various system access permissions for many users with similar job responsibilities. Which type of authorization mechanism would be the BEST choice for the organization to implement?

Discretionary access control (DAC)

Content-dependent Access Control

Role-based access control (RBAC)

Rule-based Access Control

2 / 60

Which part of an operating system (OS) is responsible for providing security interfaces among the hardware, OS, and other parts of the computing system?

Trusted Computing Base (TCB)

Security kernel

Time separation

Reference monitor

3 / 60

Clothing retailer employees are provisioned with user accounts that provide access to resources at partner businesses. All partner businesses use common identity and access management (IAM) protocols and differing technologies. Under the Extended Identity principle, what is the process flow between partner businesses to allow this IAM action?

Clothing retailer acts as identity provider (IdP), confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services.

Clothing retailer acts as User Self Service, confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services.

Clothing retailer acts as Access Control Provider, confirms access of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to resources.

Clothing retailer acts as Service Provider, confirms identity of user using industry standards, then sends credentials to partner businesses that act as an identity provider (IdP) and allows access to resources.

4 / 60

Which of the following statements BEST describes least privilege principle in a cloud environment?

Routing configurations are regularly updated with the latest routes.

A single cloud administrator is configured to access core functions.

Internet traffic is inspected for all incoming and outgoing packets.

Network segments remain private if unneeded to access the internet.

5 / 60

Which of the following is included in change management?

User Acceptance Testing (UAT) before implementation

Cost-benefit analysis (CBA) after implementation

Technical review by business owner

Business continuity testing

6 / 60

When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?

SOC 2 Type 1

SOC 2 Type 2

SOC 1 Type 1

SOC 3

7 / 60

An organization is looking to include mobile devices in its asset management system for better tracking. In which system tier of the reference architecture would mobile devices be tracked?

8 / 60

Within a large organization, what business unit is BEST positioned to initiate provisioning and deprovisioning of user accounts?

Training department

Human resources

Internal audit

Information technology (IT)

9 / 60

Which of the following is the BEST method to validate secure coding techniques against injection and overflow attacks?

The regular use of production code routines from similar applications already in use

Using automated programs to test for the latest known vulnerability patterns

Scheduled team review of coding style and techniques for vulnerability patterns

Ensure code editing tools are updated against known vulnerability patterns

10 / 60

In the "Do" phase of the Plan-Do-Check-Act model, which of the following is performed?

Maintain and improve the Business Continuity Management (BCM) system by taking corrective action, based on the results of management review.

Ensure the business continuity policy, controls, processes, and procedures have been implemented.

Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement.

Ensure that business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity have been established.

11 / 60

When resolving ethical conflicts, the information security professional MUST consider many factors. In what order should the considerations be prioritized?

Public safety, duties to principals, duties to the profession, and duties to individuals

Public safety, duties to the profession, duties to principals, and duties to individuals

Public safety, duties to individuals, duties to the profession, and duties to principals

Public safety, duties to principals, duties to individuals, and duties to the profession

12 / 60

An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user's browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?

Extensible Markup Language (XML) external entities

Cross-Site Scripting (XSS)

SQL injection (SQLi)

Cross-Site Request Forgery (CSRF)

13 / 60

What is the term used to define where data is geographically stored in the cloud?

Data sovereignty

Data privacy rights

Data warehouse

Data subject rights

14 / 60

Which of the following is MOST important to follow when developing information security controls for an organization?

Exercise due diligence with regard to all risk management information to tailor appropriate controls.

Use industry standard best practices for security controls in the organization.

Perform a risk assessment and choose a standard that addresses existing gaps.

15 / 60

Which of the following attacks, if successful, could give an intruder complete control of a software-defined networking (SDN) architecture?

Sending control messages to open a flow that does not pass a firewall from a compromised host within the network

A brute force password attack on the Secure Shell (SSH) port of the controller

Remote Authentication Dial-In User Service (RADIUS) token replay attack

Sniffing the traffic of a compromised host inside the network

16 / 60

The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the
BEST solution to securely store the private keys?

Public key infrastructure (PKI)

Encrypted flash drive

Trusted Platform Module (TPM)

Physically secured storage device

17 / 60

A hospital enforces the Code of Fair Information Practices. What practice applies to a patient requesting their medical records from a web portal?

Purpose specification

Individual participation

Use limitation

Collection limitation

18 / 60

A security architect is developing an information system for a client. One of the requirements is to deliver a platform that mitigates against common vulnerabilities and attacks. What is the MOST efficient option used to prevent buffer overflow attacks?

Address Space Layout Randomization (ASLR)

Process isolation

Access control mechanisms

Processor states

19 / 60

In a quarterly system access review, an active privileged account was discovered that did not exist in the prior review on the production system. The account was created one hour after the previous access review. Which of the following is the BEST option to reduce overall risk in addition to quarterly access reviews?

Implement and review risk-based alerts.

Implement bi-annual reviews.

Create policies for system access.

Increase logging levels.

20 / 60

Which of the following is the MOST appropriate control for asset data labeling procedures?

Logging data media to provide a physical inventory control

Categorizing the types of media being used

Reviewing audit trails of logging records

Reviewing off-site storage access controls

21 / 60

An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the risk assessment. Which of the following approaches is MOST effective for the SMP?

Security controls driven assessment that focuses on controls management

Business processes based risk assessment with a focus on business goals

Data driven risk assessment with a focus on data

Asset driven risk assessment with a focus on the assets

22 / 60

Which of the following BEST describes centralized identity management?

Service providers rely on a trusted third party (TTP) to provide requestors with both credentials and identifiers.

Service providers identify an entity by behavior analysis versus an identification factor

Service providers agree to integrate identity system recognition across organizational boundaries

Service providers perform as both the credential and identity provider (IdP)

23 / 60

The acquisition of personal data being obtained by a lawful and fair means is an example of what principle?

Openness Principle

Collection Limitation Principle

Purpose Specification Principle

Data Quality Principle

24 / 60

What level of Redundant Array of Independent Disks (RAID) is configured PRIMARILY for high-performance data reads and writes?

RAID-6

RAID-5

RAID-1

RAID-0

25 / 60

An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard?

It should be expressed as general requirements

It should be expressed in business terminology

It should be expressed as technical requirements

It should be expressed in legal terminology

26 / 60

Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation?

Facilitate a root cause analysis (RCA)

Lower costs throughout the System Development Life Cycle (SDLC)

Enable generation of corrective action reports

Avoid lengthy audit reports

27 / 60

What is the correct order of execution for security architecture?

Strategy and program management, project delivery, governance, operations

Strategy and program management, governance, project delivery, operations

Governance, strategy and program management, operations, project delivery

Governance, strategy and program management, project delivery, operations

28 / 60

An authentication system that uses challenge and response was recently implemented on an organization's network, because the organization conducted an annual penetration test showing that testers were able to move laterally using authenticated credentials. Which attack method was MOST likely used to achieve this?

Hash collision

Pass the ticket

Cross-Site Scripting (XSS)

Brute force

29 / 60

Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?

Internal assessment of the training program's effectiveness

Employee evaluation of the training program

Multiple choice tests to participants

Management control of reviews

30 / 60

Which of the following is the MOST effective way to ensure the endpoint devices used by remote users are compliant with an organization's approved policies before being allowed on the network?

Privileged Access Management (PAM)

Network Access Control (NAC)

Group Policy Object (GPO)

Mobile Device Management (MDM)

31 / 60

Which of the following BEST describes the purpose of software forensics?

To perform cyclic redundancy check (CRC) verification and detect changed applications

To review program code to determine the existence of backdoors

To determine the author and behavior of the code

To analyze possible malicious intent of malware

32 / 60

What process facilitates the balance of operational and economic costs of protective measures with gains in mission capability?

Security audit

Risk assessment

Risk management

Performance testing

33 / 60

What is the PRIMARY reason for criminal law being difficult to enforce when dealing with cybercrime?

Numerous language barriers exist

Jurisdiction is hard to define

Extradition treaties are rarely enforced

Law enforcement agencies are understaffed

34 / 60

Which of the following is the BEST way to protect an organization's data assets?

Monitor and enforce adherence to security policies

Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD)

Encrypt data in transit and at rest using up-to-date cryptographic algorithms

Create the Demilitarized Zone (DMZ) with proxies, firewalls and hardened bastion hosts

35 / 60

A company is enrolled in a hard drive reuse program where decommissioned equipment is sold back to the vendor when it is no longer needed. The vendor pays more money for functioning drives than equipment that is no longer operational. Which method of data sanitization would provide the most secure means of preventing unauthorized data loss, while also receiving the most money from the vendor?

Pinning

Degaussing

Single-pass wipe

Multi-pass wipes

36 / 60

A company is attempting to enhance the security of its user authentication processes. After evaluating several options, the company has decided to utilize Identity as a Service (IDaaS). Which of the following factors leads the company to choose an IDaaS as their solution?

In-house development provides more control

Third-party solutions are inherently more secure

In-house team lacks resources to support an on-premise solution

Third-party solutions are known for transferring the risk to the vendor

37 / 60

When recovering from an outage, what is the Recovery Point Objective (RPO), in terms of data recovery?

The RPO is a goal to recover a targeted percentage of data lost

The RPO is the minimum amount of data that needs to be recovered

The RPO is the maximum amount of time for which loss of data is acceptable

The RPO is the amount of time it takes to recover an acceptable percentage of data lost

38 / 60

Which of the following does the security design process ensure within the System Development Life Cycle (SDLC)?

Security objectives, security goals, and system test are properly conducted

Security goals, proper security controls, and validation are properly initiated

Proper security controls, security goals, and fault mitigation are properly conducted

Proper security controls, security objectives, and security goals are properly initiated

39 / 60

In software development, which of the following entities normally signs the code to protect the code integrity?

The developer

The data owner

The quality control group

The organization developing the code

40 / 60

The existence of physical barriers, card and personal identification number (PIN) access systems, cameras, alarms, and security guards BEST describes this security approach?

Access control

Defense-in-depth

Security perimeter

Security information and event management (SIEM)

41 / 60

Which of the following BEST describes when an organization should conduct a black box security audit on a new software protect?

When the organization has experienced a security incident

When the organization is confident the final source code is complete

When the organization wishes to check for non-functional compliance

When the organization wants to enumerate known security vulnerabilities across their infrastructure

42 / 60

What is considered the BEST explanation when determining whether to provide remote network access to a third-party security service?

Business need

Supplier request

Contract negotiation

Vendor demonstration

43 / 60

Which of the following is the BEST option to reduce the network attack surface of a system?

Disabling unnecessary ports and services

Uninstalling default software on the system

Removing unnecessary system user accounts

Ensuring that there are no group accounts on the system

44 / 60

A security professional can BEST mitigate the risk of using a Commercial Off-The-Shelf (COTS) solution by deploying the application with which of the following controls in place?

Network segmentation

Blacklisting application

Whitelisting application

Hardened configuration

45 / 60

To monitor the security of buried data lines inside the perimeter of a facility, which of the following is the MOST effective control?

Steel casing around the facility ingress points

Ground sensors installed and reporting to a security event management (SEM) system

Regular sweeps of the perimeter, including manual inspection of the cable ingress points

Fencing around the facility with closed-circuit television (CCTV) cameras at all entry points

46 / 60

International bodies established a regulatory scheme that defines how weapons are exchanged between the signatories. It also addresses cyber weapons, including malicious software, Command and Control (C2) software, and internet surveillance software. This is a description of which of the following?

Wassenaar arrangement

Palermo convention

General Data Protection Regulation (GDPR)

International Traffic in Arms Regulations (ITAR)

47 / 60

Dumpster diving is a technique used in which stage of penetration testing methodology?

Attack

Planning

Reporting

Discovery

48 / 60

Which one of the following BEST protects vendor accounts that are used for emergency maintenance?

Encryption of routing tables

Role-based access control (RBAC)

Frequent monitoring of vendor access

Vendor access should be disabled until needed

49 / 60

The security team is notified that a device on the network is infected with malware. Which of the following is MOST effective in enabling the device to be quickly located and remediated?

Intrusion detection

Vulnerability scanner

Information Technology Asset Management (ITAM)

Data loss protection (DLP)

50 / 60

A security professional needs to find a secure and efficient method of encrypting data on an endpoint. Which solution includes a root key?

Bitlocker

Trusted Platform Module (TPM)

Hardware security module (HSM)

Virtual storage array network (VSAN)

51 / 60

Which of the following is the MOST effective strategy to prevent an attacker from disabling a network?

Implement network segmentation to achieve robustness

Test business continuity and disaster recovery (DR) plans

Design networks with the ability to adapt, reconfigure, and fail over

Follow security guidelines to prevent unauthorized network access

52 / 60

An application developer receives a report back from the security team showing their automated tools were able to successfully enter unexpected data into the organization's customer service portal, causing the site to crash. This is an example of which type of testing?

Positive

Negative

Performance

Non-functional

53 / 60

Using the cipher text and resultant cleartext message to derive the monoalphabetic cipher key is an example of which method of cryptanalytic attack?

Known-plaintext attack

Frequency analysis

Ciphertext-only attack

Probable-plaintext attack

54 / 60

In Federated Identity Management (FIM), which of the following represents the concept of federation?

Collection of information for common identities in a system

Collection of information logically grouped into a single entity

Collection, maintenance, and deactivation of user objects and attributes in one or more systems, directories or applications

Collection of domains that have established trust among themselves

55 / 60

What documentation is produced FIRST when performing an effective physical loss control process?

Inventory list

Asset valuation list

Deterrent controls list

Security standards list

56 / 60

What is the MAIN purpose of a security assessment plan?

Provide education to employees on security and privacy, to ensure their awareness on policies and procedures

Provide technical information to executives to help them understand information security postures and secure funding

Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments

Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation

57 / 60

Which of the following is MOST appropriate to collect evidence of a zero-day attack?

Antispam

Honeypot

Firewall

Antivirus

58 / 60

The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely to be violated?

Program management

Mobile code controls

Change management

Separation of environments

59 / 60

An organization has requested storage area network (SAN) disks for a new project. What Redundant Array of Independent Disks (RAID) level provides the BEST redundancy and fault tolerance?

RAID level 1

RAID level 3

RAID level 4

RAID level 5

60 / 60

An attack utilizing social engineering and a malicious Uniform Resource Locator (URL) link to take advantage of a victim's existing browser session with a web application is an example of which of the following types of attack?

Injection

Clickjacking

Cross-Site Scripting (XSS)

Cross-site request forgery (CSRF)

Your score is

The average score is 56%

By Wordpress Quiz plugin

Free CISSP Practice Test

Disclaimer

[email protected]

Helpful links

top Vendors

Contact Us

[email protected]

FLASH OFFER

avail $6 DISCOUNT on YOUR PURCHASE