Free Practice Questions for ISC CISSP Exam

The correct matches are:

Security Risk Treatment: The method used to identify feasible security risk mitigation options and plans.

Threat Assessment: A measure of the extent to which an entity is threatened by a potential circumstance or event, the adverse impacts that would arise if the circumstance or event occurs, and the likelihood of occurrence.

Protection Needs: The method used to identify and characterize the dangers anticipated throughout the life cycle of the system.

Risk: The method used to identify the confidentiality, integrity, and availability requirements for organizational and system assets and to characterize the adverse impact or consequences should the asset be lost, modified, degraded, disrupted, compromised, or become unavailable.

Comprehensive Explanation: These terms and definitions are based on the glossary of the Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Engineering, pp. 293-2941

References: Official (ISC)2 CISSP CBK Reference, Fifth Edition

The role that has the obligation to ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization is the data owner. A data owner is a person or an entity that has the authority or the responsibility for the data or the information within an organization, and that determines or defines the classification, the usage, the protection, or the retention of the data or the information. A data owner has the obligation to ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization, as the data owner is ultimately accountable or liable for the security or the quality of the data or the information, regardless of who processes or handles the data or the information. A data owner can ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization, by performing the tasks or the functions such as conducting due diligence, establishing service level agreements, defining security requirements, monitoring performance, or auditing compliance. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2, page 61; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 2, page 67

According to the CISSP CBK Official Study Guide1, the identity management process in which the subject’s identity is established is enrollment. Enrollment is the process of registering or enrolling a subject into an identity management system, such as a user into an authentication system, or a device into a network. Enrollment is the process in which the subject’s identity is established, as it involves verifying and validating the subject’s identity, as well as collecting and storing the subject’s identity attributes, such as the name, email, or biometrics of the subject. Enrollment also involves issuing and assigning the subject’s identity credentials, such as the username, password, or certificate of the subject. Enrollment helps to create and maintain the subject’s identity record or profile, as well as to enable and facilitate the subject’s access and use of the system or network. Trust is not the identity management process in which the subject’s identity is established, although it may be a factor that influences the enrollment process. Trust is the degree of confidence or assurance that a subject or an entity has in another subject or entity, such as a user in a system, or a system in a network. Trust may influence the enrollment process, as it may determine the level or extent of the identity verification and validation, as well as the identity attributes and credentials that are required or provided for the enrollment process. Provisioning is not the identity management process in which the subject’s identity is established, although it may be a process that follows or depends on the enrollment process. Provisioning is the process of creating, assigning, and configuring a subject’s account or resource with the necessary access rights and permissions to perform the tasks and functions that are required by the subject’s role and responsibilities, as well as the security policies and standards of the system or network. Provisioning is not the process in which the subject’s identity is established, as it does not involve verifying and validating the subject’s identity, or collecting and storing the subject’s identity attributes or credentials. Authorization is not the identity management process in which the subject’s identity is established, although it may be a process that follows or depends on the enrollment process. Authorization is the process of granting or denying a subject’s access or use of an object or a resource, based on the subject’s identity, role, or credentials, as well as the security policies and rules of the system or network. Authorization is not the process in which the subject’s identity is established, as it does not involve verifying and validating the subject’s identity, or collecting and storing the subject’s identity attributes or credentials. References: 1

WS-Authorization

 Encapsulating Security Payload (ESP) in transport mode affects the Internet Protocol (IP) by encrypting and optionally authenticating the IP payload, but not the IP header. ESP is a protocol that provides confidentiality, integrity, and authentication for data transmitted over a network. ESP can operate in two modes: transport mode and tunnel mode. In transport mode, ESP only protects the data or payload of the IP packet, while leaving the IP header intact and visible. This mode is suitable for end-to-end communication between two hosts. In tunnel mode, ESP protects the entire IP packet, including the header and the payload, by encapsulating it within another IP packet. This mode is suitable for gateway-to-gateway or host-to-gateway communication34 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, p. 345; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 464.

 IPSec provides confidentiality and integrity for data in transit by encrypting and authenticating all IP packets exchanged between participating devices.

References:

CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, p. 308.

CISSP practice exam questions and answers, Question 9.

The opening of a mechanical lock without the proper key by carefully aligning the pins in the lock is defined as lock picking. A mechanical lock is a device that secures an entry point, such as a door, a window, or a cabinet, by using a physical mechanism, such as a pin tumbler, a wafer, or a disc detainer. A mechanical lock requires a proper key to unlock it, which matches the configuration of the mechanism. Lock picking is a technique of manipulating the mechanism of the lock without the proper key, usually by using tools, such as picks, tension wrenches, or rakes. Lock picking can exploit the flaws or weaknesses of the lock, such as the variations, tolerances, or defects of the pins or the cylinder. Lock picking can be used for legitimate purposes, such as locksmithing, hobby, or sport, or for illegitimate purposes, such as burglary, espionage, or sabotage.References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Engineering, p. 136; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Engineering, p. 297.

According to the CISSP Official (ISC)2 Practice Tests3, the most effective way to dispose of data on multiple hard drives is to perform multiple passes on each drive using approved formatting methods. This means that the data on the hard drives should be overwritten with random or meaningless patterns several times, using software tools or commands that follow the standards and guidelines for secure data erasure. This can ensure that the data on the hard drives is irrecoverable and unreadable, even by using advanced forensic techniques or tools. Deleting every file on each drive is not an effective way to dispose of data on multiple hard drives, as it does not actually erase the data, but only removes the pointers or references to the data. The data can still be recovered and read by using undelete or recovery tools, or by accessing the slack or unallocated space on the drive. Destroying the partition table for each drive using the command line is not an effective way to dispose of data on multiple hard drives, as it does not actually erase the data, but only removes the information about how the drive is divided into logical sections. The data can still be recovered and read by using partition recovery tools, or by accessing the raw data on the drive. Degaussing each drive individually is not an effective way to dispose of data on multiple hard drives, as it may not work on modern hard drives that use perpendicular recording technology. Degaussing is a process that uses a strong magnetic field to erase the data on magnetic media, such as tapes or disks. However, modern hard drives have higher coercivity, which means they require a stronger magnetic field to be erased, and degaussing may not be able to generate such a field. Degaussing may also damage the hard drive components and render them unusable. References: 3

The primary difference between security policies and security procedures is that policies are generic in nature, and procedures contain operational details. Security policies are the high-level statements or rules that define the goals, objectives, and requirements of security for an organization. Security procedures are the low-level steps or actions that specify how to implement, enforce, and comply with the security policies.

A. Policies are used to enforce violations, and procedures create penalties is not a correct answer, as it confuses the roles and functions of policies and procedures. Policies are used to create penalties, and procedures are used to enforce violations. Penalties are the consequences or sanctions that are imposed for violating the security policies, and they are defined by the policies. Enforcement is the process or mechanism of ensuring compliance with the security policies, and it is carried out by the procedures.

B. Policies point to guidelines, and procedures are more contractual in nature is not a correct answer, as it misrepresents the nature and purpose of policies and procedures. Policies are not merely guidelines, but rather mandatory rules that bind the organization and its stakeholders to follow the security principles and standards. Procedures are not contractual in nature, but rather operational in nature, as they describe the specific tasks and activities that are necessary to achieve the security goals and objectives.

C. Policies are included in awareness training, and procedures give guidance is not a correct answer, as it implies that policies and procedures have different audiences and functions. Policies and procedures are both included in awareness training, and they both give guidance. Awareness training is the process of educating and informing the organization and its stakeholders about the security policies and procedures, and their roles and responsibilities in security. Guidance is the process of providing direction and advice on how to comply with the security policies and procedures, and how to handle security issues and incidents.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 17; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 13

According to the CISSP All-in-One Exam Guide, the restoration priorities of a Disaster Recovery Plan (DRP) are based on the Business Impact Analysis (BIA). A DRP is a document that defines the procedures and actions to be taken in the event of a disaster that disrupts the normal operations of an organization. A restoration priority is the order or sequence in which the critical business processes and functions, as well as the supporting resources, such as data, systems, personnel, and facilities, are restored after a disaster. A BIA is a process that assesses the potential impact and consequences of a disaster on the organization’s business processes and functions, as well as the supporting resources. A BIA helps to identify and prioritize the critical business processes and functions, as well as the recovery objectives and time frames for them. A BIA also helps to determine the dependencies and interdependencies among the business processes and functions, as well as the supporting resources. Therefore, the restoration priorities of a DRP are based on the BIA, as it provides the information and analysis that are needed to plan and execute the recovery strategy. A Service Level Agreement (SLA) is not the document that the restoration priorities of a DRP are based on, although it may be a factor that influences the restoration priorities. An SLA is a document that defines the expectations and requirements for the quality and performance of a service or product that is provided by a service provider to a customer or client, such as the availability, reliability, scalability, or security of the service or product. An SLA may help to justify or support the restoration priorities of a DRP, but it does not provide the information and analysis that are needed to plan and execute the recovery strategy. A Business Continuity Plan (BCP) is not the document that the restoration priorities of a DRP are based on, although it may be a document that is aligned with or integrated with a DRP. A BCP is a document that defines the procedures and actions to be taken to ensure the continuity of the essential business operations during and after a disaster. A BCP may cover the same or similar business processes and functions, as well as the supporting resources, as a DRP, but it focuses on the continuity rather than the recovery of them. A BCP may also include other aspects or components that are not covered by a DRP, such as the prevention, mitigation, or response to a disaster. A crisis management plan is not the document that the restoration priorities of a DRP are based on, although it may be a document that is aligned with or integrated with a DRP. A crisis management plan is a document that defines the procedures and actions to be taken to manage and resolve a crisis or emergency situation that may affect the organization, such as a natural disaster, a cyberattack, or a pandemic. A crisis management plan may cover the same or similar business processes and functions, as well as the supporting resources, as a DRP, but it focuses on the management rather than the recovery of them. A crisis management plan may also include other aspects or components that are not covered by a DRP, such as the communication, coordination, or escalation of the crisis or emergency situation.

 The biggest weakness when using native Lightweight Directory Access Protocol (LDAP) for authentication is that passwords are passed in clear text over the network, exposing them to eavesdropping and interception attacks. To mitigate this risk, LDAP should be used with encryption protocols, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS), or with authentication protocols, such as Kerberos or Simple Authentication and Security Layer (SASL).

A. Authorizations are not included in the server response is not the biggest weakness when using native LDAP for authentication, but rather a limitation of the protocol that requires additional mechanisms to implement access control policies.

B. Unsalted hashes are passed over the network is not the biggest weakness when using native LDAP for authentication, but rather a potential vulnerability of the password storage scheme that could expose passwords to brute-force or dictionary attacks.

C. The authentication session can be replayed is not the biggest weakness when using native LDAP for authentication, but rather a possible threat that could compromise the confidentiality and integrity of the session data.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 281; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, page 230

The method that prevents improper aggregation of privileges in role based access control (RBAC) is dynamic separation of duties. RBAC is a type of access control model that assigns permissions and privileges to users or devices based on their roles or functions within an organization, rather than their identities or attributes. RBAC can simplify and streamline the access control management, as it can reduce the complexity and redundancy of the permissions and privileges. However, RBAC can also introduce the risk of improper aggregation of privileges, which is the situation where a user or a device can accumulate more permissions or privileges than necessary or appropriate for their role or function, either by having multiple roles or by changing roles over time. Dynamic separation of duties is a method that prevents improper aggregation of privileges in RBAC, by enforcing rules or constraints that limit or restrict the roles or the permissions that a user or a device can have or use at any given time or situation.

A. Hierarchical inheritance is not a method that prevents improper aggregation of privileges in RBAC, but rather a method that enables proper delegation of privileges in RBAC. Hierarchical inheritance is a method that allows the roles or the permissions in RBAC to be organized and structured in a hierarchical or a tree-like manner, where the higher-level roles or permissions can inherit or include the lower-level roles or permissions. Hierarchical inheritance can facilitate the delegation of privileges in RBAC, as it can ensure that the roles or the permissions are consistent and compatible with the organizational hierarchy or the business logic.

C. The Clark-Wilson security model is not a method that prevents improper aggregation of privileges in RBAC, but rather a type of access control model that enforces the integrity or the accuracy of the data or the transactions within an information system. The Clark-Wilson security model is a type of access control model that defines and regulates the access and the operations that the users or the devices can perform on the data or the transactions, based on the concepts of well-formed transactions, separation of duties, and auditing. The Clark-Wilson security model can prevent unauthorized or improper modification or manipulation of the data or the transactions, by ensuring that the access and the operations are valid and verified.

D. The Bell-LaPadula security model is not a method that prevents improper aggregation of privileges in RBAC, but rather a type of access control model that enforces the confidentiality or the secrecy of the data or the information within an information system. The Bell-LaPadula security model is a type of access control model that defines and regulates the access and the operations that the users or the devices can perform on the data or the information, based on the concepts of security levels, security labels, and security rules. The Bell-LaPadula security model can prevent unauthorized or improper disclosure or leakage of the data or the information, by ensuring that the access and the operations are consistent and compliant with the security policies.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 349; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, page 310

 In the Open System Interconnection (OSI) model, the layer that is responsible for the transmission of binary data over a communications network is the Physical Layer. The OSI model is a conceptual framework or a reference model that describes or defines how the different components or elements of a communications network interact or communicate with each other, using a layered or a modular approach. The OSI model consists of seven layers, each with a specific function or role, and each communicating or interfacing with the adjacent layers. The Physical Layer is the lowest or the first layer of the OSI model, and it is responsible for the transmission of binary data over a communications network, which means that it is responsible for converting or encoding the data or the information into electrical signals, optical signals, or radio waves, and sending or receiving them over the physical medium or the channel, such as the cable, the fiber, or the air. The Physical Layer is also responsible for defining or specifying the physical characteristics or the properties of the physical medium or the channel, such as the voltage, the frequency, the bandwidth, or the modulation. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 101; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 158

The Security Assessment and Authorization (SA&A) process is a framework that ensures that information systems meet the security requirements and standards of the organization and the applicable laws and regulations. The SA&A process consists of four phases: initiation, assessment, authorization, and monitoring. During the initiation phase, one of the primary purposes for conducting a hardware and software inventory is to define the boundaries of the information system, i.e., the scope and extent of the system components, interfaces, and data flows. Defining the boundaries of the information system helps to identify the security risks, controls, and responsibilities associated with the system, as well as to determine the level of effort and resources required for the assessment and authorization phases12. References:

Security Assessment and Authorization - NIST, Section: 2.1 Initiation Phase

Security Assessment and Authorization - NIST, Section: 2.1.1 Identify Information System Boundaries