Free Practice Questions for ISC CISSP Exam

Attending a cybersecurity seminar to learn about current incident response methodologies aligns with the ethical canon of advancing and protecting the profession. It involves enhancing one’s knowledge and skills, contributing to the growth and integrity of the field, and staying abreast of the latest developments and best practices in information security. References: ISC² Code of Ethics

The best mechanism to prevent a Cross-Site Request Forgery (CSRF) attack is to use synchronized session tokens. A CSRF attack is a type of web application vulnerability that exploits the trust that a site has in a user’s browser. A CSRF attack occurs when a malicious site, email, or link tricks a user’s browser into sending a forged request to a vulnerable site, where the user is already authenticated. The vulnerable site cannot distinguish between the legitimate and the forged requests, and may perform an unwanted action on behalf of the user, such as changing a password, transferring funds, or deleting data. Synchronized session tokens are a technique to prevent CSRF attacks by adding a random and unique value to each request that is generated by the server and verified by the server before processing the request. The token is usually stored in a hidden form field or a custom HTTP header, and is tied to the user’s session. The token ensures that the request originates from the same site that issued it, and not from a malicious site. Synchronized session tokens are also known as CSRF tokens, anti-CSRF tokens, or state tokens. Parameterized database queries, whitelist input values, and use strong ciphers are not mechanisms to prevent CSRF attacks, although they may be useful for other types of web application vulnerabilities. Parameterized database queries are a technique to prevent SQL injection attacks by using placeholders or parameters for user input, instead of concatenating or embedding user input directly into the SQL query. Parameterized database queries ensure that the user input is treated as data and not as part of the SQL command. Whitelist input values are a technique to prevent input validation attacks by allowing only a predefined set of values or characters for user input, instead of rejecting or filtering out unwanted or malicious values or characters. Whitelist input values ensure that the user input conforms to the expected format and type. Use strong ciphers are a technique to prevent encryption attacks by using cryptographic algorithms and keys that are resistant to brute force, cryptanalysis, or other attacks. Use strong ciphers ensure that the encrypted data is confidential, authentic, and integral. 

The identity and access provisioning lifecycle is the process of managing the creation, modification, and termination of user accounts and access rights in an organization. The second step in this lifecycle is approval, which means that the identity and access requests must be authorized by the appropriate managers or administrators before they are implemented. Approval ensures that the principle of least privilege is followed and that only authorized users have access to the required resources. 

The minimum frequency for audits of permissions to individual or group accounts is continually. Audits of permissions are the processes of reviewing and verifying the user accounts and access rights on a system or a network, and ensuring that they are appropriate, necessary, and compliant with the policies and standards. Audits of permissions can provide some benefits for security, such as enhancing the accuracy and the reliability of the user accounts and access rights, identifying and removing any excessive, obsolete, or unauthorized access rights, and supporting the audit and the compliance activities. Audits of permissions should be performed continually, which means that they should be conducted on a regular and consistent basis, without any interruption or delay. Continual audits of permissions can help to maintain the security and the integrity of the system or the network, by detecting and addressing any changes or issues that may affect the user accounts and access rights, such as role changes, transfers, promotions, or terminations. Continual audits of permissions can also help to ensure the effectiveness and the feasibility of the audit process, by reducing the workload and the complexity of the audit tasks, and by providing timely and relevant feedback and results. Annually, to correspond with staff promotions, and to correspond with terminations are not the minimum frequencies for audits of permissions to individual or group accounts, although they may be related or possible frequencies. Annually means that the audits of permissions are performed once a year, which may not be sufficient or adequate to maintain the security and the integrity of the system or the network, as the user accounts and access rights may change or become outdated more frequently than that, due to various factors, such as role changes, transfers, promotions, or terminations. Annually audits of permissions may also increase the workload and the complexity of the audit process, as they may involve a large number of user accounts and access rights to review and verify, and they may not provide timely and relevant feedback and results. To correspond with staff promotions means that the audits of permissions are performed whenever a staff member is promoted to a higher or a different position within the organization, which may affect their user accounts and access rights. To correspond with staff promotions audits of permissions can help to ensure that the user accounts and access rights are aligned with the current roles or functions of the staff members, and that they follow the principle of least privilege. However, to correspond with staff promotions audits of permissions may not be sufficient or adequate to maintain the security and the integrity of the system or the network, as the user accounts and access rights may change or become outdated due to other factors, such as role changes, transfers, or terminations, and they may not be performed on a regular and consistent basis. To correspond with terminations means that the audits of permissions are performed whenever a staff member leaves the organization, which may affect their user accounts and access rights. To correspond with terminations audits of permissions can help to ensure that the user accounts and access rights are revoked or removed from the system or the network, and that they prevent any unauthorized or improper access or use. However, to correspond with terminations audits of permissions may not be sufficient or adequate to maintain the security and the integrity of the system or the network, as the user accounts and access rights may change or become outdated due to other factors, such as role changes, transfers, or promotions, and they may not be performed on a regular and consistent basis.

The most effective method to mitigate future infections caused by connecting a Universal Serial Bus (USB) storage device is to implement centralized technical control of USB port connections. USB port connections are the physical interfaces that allow USB devices, such as flash drives, keyboards, or mice, to connect to a computer or a network. USB port connections can pose a security risk, as they can be used to introduce or spread malware, to steal or leak data, or to bypass other security controls. Centralized technical control of USB port connections is a technique that uses a centralized system or a policy to monitor, restrict, or disable the USB port connections on the computers or the network. Centralized technical control of USB port connections can prevent or limit future infections caused by connecting a USB storage device, as it can block or allow the USB devices based on various criteria, such as the device type, the device ID, the user ID, the time, or the location. Centralized technical control of USB port connections can also provide some benefits for web security, such as enhancing the visibility and the auditability of the USB activities, enforcing the compliance and the consistency of the USB policies, and reducing the reliance and the burden on the end users. Develop a written organizational policy prohibiting unauthorized USB devices, train users on the dangers of transferring data in USB devices, and encrypt removable USB devices containing data at rest are not the most effective methods to mitigate future infections caused by connecting a USB storage device, although they may be related or useful techniques. Develop a written organizational policy prohibiting unauthorized USB devices is a technique that uses a formal document to define and communicate the rules and the expectations regarding the usage of USB devices on the computers or the network. Develop a written organizational policy prohibiting unauthorized USB devices can provide some benefits for web security, such as raising the awareness and the responsibility of the parties, establishing the standards and the guidelines for the USB activities, and providing the basis and the justification for the enforcement and the sanctions of the USB policies. However, develop a written organizational policy prohibiting unauthorized USB devices is not sufficient to prevent or limit future infections caused by connecting a USB storage device, as the policy may not be effectively implemented, communicated, or followed by the parties, and it may not be able to address the dynamic and the complex nature of the USB threats. Train users on the dangers of transferring data in USB devices is a technique that uses education and awareness programs to inform and instruct the users about the risks and the best practices of using USB devices on the computers or the network. Train users on the dangers of transferring data in USB devices can provide some benefits for web security, such as improving the knowledge and the skills of the users, changing the attitudes and the behaviors of the users, and empowering the users to make informed and secure decisions regarding the USB activities. 

 The most common method of memory protection is segmentation. Segmentation is a technique that divides the memory space into logical segments, such as code, data, stack, and heap. Each segment has its own attributes, such as size, location, access rights, and protection level. Segmentation can help to isolate and protect the memory segments from unauthorized or unintended access, modification, or execution, as well as to prevent memory corruption, overflow, or leakage. Compartmentalization, error correction, and VLAN tagging are not methods of memory protection, but of information protection, data protection, and network protection, respectively. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Security Engineering, page 589; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 3: Security Architecture and Engineering, page 370.

Access to session state variables is required to validate web session management. Web session management is the process of maintaining the state and information of a user across multiple requests and interactions with a web application. Web session management relies on session state variables, which are data elements that store the user’s preferences, settings, authentication status, and other relevant information for the duration of the session. Session state variables can be stored on the client side (such as cookies or local storage) or on the server side (such as databases or files). To validate web session management, it is necessary to access the session state variables and verify that they are properly generated, maintained, and destroyed by the web application. This can help to ensure the security, functionality, and performance of the web application and the user experience. The other options are not required to validate web session management. Log timestamp is a data element that records the date and time of a user’s activity or event on the web application, but it does not store the user’s state or information. Live session traffic is the network data that is exchanged between the user and the web application during the session, but it does not reflect the session state variables that are stored on the client or the server side. Test scripts are code segments that are used to automate the testing of the web application’s features and functions, but they do not access the session state variables directly. References: Session Management - OWASP Cheat Sheet Series; Session Management: An Overview | SecureCoding.com; Session Management in HTTP - GeeksforGeeks.

Section: Security Operations

The factors that must be considered when classifying information and supporting assets for risk management, legal discovery, and compliance are data stewardship roles, data handling and storage standards, and data lifecycle requirements. Data stewardship roles are the roles and responsibilities of the individuals or entities who are accountable for the creation, maintenance, protection, and disposal of the information and supporting assets. Data stewardship roles include data owners, data custodians, data users, and data stewards. Data handling and storage standards are the policies, procedures, and guidelines that define how the information and supporting assets should be handled and stored, based on their classification level, sensitivity, and value. Data handling and storage standards include data labeling, data encryption, data backup, data retention, and data disposal. Data lifecycle requirements are the requirements that specify the stages and processes that the information and supporting assets should go through, from their creation to their destruction. Data lifecycle requirements include data collection, data processing, data analysis, data sharing, data archiving, and data deletion. System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements are not the factors that must be considered when classifying information and supporting assets for risk management, legal discovery, and compliance, although they may be related or relevant concepts. System owner roles and responsibilities are the roles and responsibilities of the individuals or entities who are accountable for the operation, performance, and security of the system that hosts or processes the information and supporting assets. System owner roles and responsibilities include system authorization, system configuration, system monitoring, and system maintenance. Data handling standards are the policies, procedures, and guidelines that define how the information should be handled, but not how the supporting assets should be stored. Data handling standards are a subset of data handling and storage standards. Storage and secure development lifecycle requirements are the requirements that specify the stages and processes that the storage and development systems should go through, from their inception to their decommissioning. Storage and secure development lifecycle requirements include storage design, storage implementation, storage testing, storage deployment, storage operation, storage maintenance, and storage disposal. Compliance office roles and responsibilities, classified material handling standards, storage system lifecycle requirements are not the factors that must be considered when classifying information and supporting assets for risk management, legal discovery, and compliance, although they may be related or relevant concepts. Compliance office roles and responsibilities are the roles and responsibilities of the individuals or entities who are accountable for ensuring that the organization complies with the applicable laws, regulations, standards, and policies. Compliance office roles and responsibilities include compliance planning, compliance assessment, compliance reporting, and compliance improvement. Classified material handling standards are the policies, procedures, and guidelines that define how the information and supporting assets that are classified by the government or military should be handled and stored, based on their security level, such as top secret, secret, or confidential. Classified material handling standards are a subset of data handling and storage standards. Storage system lifecycle requirements are the requirements that specify the stages and processes that the storage system should go through, from its inception to its decommissioning. Storage system lifecycle requirements are a subset of storage and secure development lifecycle requirements. System authorization roles and responsibilities, cloud computing standards, lifecycle requirements are not the factors that must be considered when classifying information and supporting assets for risk management, legal discovery, and compliance, although they may be related or relevant concepts. System authorization roles and responsibilities are the roles and responsibilities of the individuals or entities who are accountable for granting or denying access to the system that hosts or processes the information and supporting assets. System authorization roles and responsibilities include system identification, system authentication, system authorization, and system auditing. Cloud computing standards are the standards that define the requirements, specifications, and best practices for the delivery of computing services over the internet, such as infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS). Cloud computing standards include cloud service level agreements (SLAs), cloud interoperability, cloud portability, and cloud security. Lifecycle requirements are the requirements that specify the stages and processes that the information and supporting assets should go through, from their creation to their destruction. Lifecycle requirements are the same as data lifecycle requirements. 

The management process that allows only those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates is configuration. Configuration is the process of setting and adjusting the parameters and options of a system or a network, such as hardware, software, or services, to meet the requirements and objectives of the organization. Configuration can provide some benefits for security, such as enhancing the performance and the functionality of the system or the network, preventing or mitigating some types of attacks or vulnerabilities, and supporting the audit and compliance activities. Configuration can involve various techniques and tools, such as configuration management, configuration control, configuration auditing, or configuration baselines. Configuration can allow only those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates, by using the following methods:

Enabling or disabling the services that are necessary or unnecessary for the system or the network, such as file sharing, remote access, or printing. This can help to reduce the attack surface and the exposure of the system or the network, as well as to optimize the resource utilization and the bandwidth consumption.

Changing the default user passwords that are provided by the vendors or the manufacturers of the system or the network, such as routers, switches, or servers. This can help to prevent or mitigate some types of attacks or unauthorized access, such as brute force, dictionary, or credential stuffing, by using strong and unique passwords that are difficult to guess or crack.

Setting the servers to retrieve antivirus updates automatically or periodically from the trusted sources, such as the antivirus vendors or the security providers. This can help to protect the system or the network from malware infections or exploits, by updating and applying the latest malware signatures, heuristics, or behavioral analysis to the system or the network.

The capabilities of the system that allow its business users to perform business functions but not user administration functions, and its application administrators to perform administration functions but not user business functions, are best described as separation of duties. Separation of duties is a security principle that divides the roles and responsibilities of different tasks or functions among different individuals or groups, so that no one person or group has complete control or authority over a critical process or asset. Separation of duties can help to prevent fraud, collusion, abuse, or errors, and to ensure accountability, oversight, and checks and balances. Least privilege, rule based access controls, and Mandatory Access Control (MAC) are not the best descriptions of the capabilities of the system, as they do not reflect the division of roles and responsibilities among different users or groups. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 32. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 45.

The action that must be taken if a vulnerability is discovered during the maintenance stage in a SDLC is to make changes following principle and design guidelines. Principle and design guidelines are the rules and standards that define the security objectives, requirements, and specifications of the system. They also provide the criteria and methods for evaluating and testing the security of the system. By making changes following principle and design guidelines, the organization can ensure that the vulnerability is fixed in a secure and consistent manner, and that the system maintains its functionality and quality. The other options are not actions that must be taken, as they either do not fix the vulnerability (B and D), or do not follow the principle and design guidelines ©. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 461; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, page 553.

A common challenge when implementing SAML for identity integration between on-premise environment and an external identity provider service is that some users are not provisioned into the service. Provisioning is a process of creating, updating, or deleting the user accounts or profiles in a service or an application, based on the user identity or credentials. When implementing SAML for identity integration, the on-premise environment acts as the identity provider, which authenticates the user and issues the SAML assertion, and the external service acts as the service provider, which receives the SAML assertion and grants access to the user. However, if the user account or profile is not provisioned or synchronized in the external service, the user may not be able to access the service, even if they have a valid SAML assertion. Therefore, a common challenge when implementing SAML for identity integration is to ensure that the user provisioning is consistent and accurate between the on-premise environment and the external service. SAML tokens are provided by the on-premise identity provider, single users can be revoked from the service, and SAML tokens contain user information are not common challenges when implementing SAML for identity integration, as they are related to the functionality, granularity, or content of the SAML protocol, not the provisioning of the user accounts or profiles. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 693. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 709.

 When using third-party software developers, the most effective method of providing software development Quality Assurance (QA) is to perform overlapping code reviews by both parties. Code reviews are the process of examining the source code of an application for quality, functionality, security, and compliance. Overlapping code reviews by both parties means that the code is reviewed by both the third-party developers and the contracting organization, and that the reviews cover the same or similar aspects of the code. This can ensure that the code meets the requirements and specifications, that the code is free of defects or vulnerabilities, and that the code is consistent and compatible with the existing system or environment. Retaining intellectual property rights through contractual wording, verifying that the contractors attend development planning meetings, and creating a separate contractor development environment are all possible methods of providing software development QA, but they are not the most effective method of doing so. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1026. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1050.

The factor that most influences the design of the organization’s electronic monitoring policies is workplace privacy laws. Workplace privacy laws are the laws that regulate the extent and manner of the employer’s monitoring or surveillance of the employee’s activities, communications, or behavior in the workplace, such as email, phone, internet, or video monitoring. Workplace privacy laws vary by country, state, or region, and may impose different requirements or restrictions on the employer’s electronic monitoring policies, such as the purpose, scope, consent, disclosure, or protection of the monitoring data. The employer must comply with the applicable workplace privacy laws when designing and implementing the electronic monitoring policies, to avoid violating the employee’s privacy rights or facing legal consequences. Level of organizational trust, results of background checks, and business ethical considerations are not the factors that most influence the design of the organization’s electronic monitoring policies, as they are related to the culture, security, or values of the organization, not the legal or regulatory framework of the electronic monitoring. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 50. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 65.