Free Practice Questions for ISC CISSP Exam

The primary way to measure the effectiveness of the security program is through the audit findings. The audit findings are the results or the outcomes of the audit process, which is a systematic and independent examination of the security activities and initiatives, to determine whether they comply with the security policies and standards, and whether they achieve the security objectives and goals. The audit findings can help to evaluate the effectiveness of the security program, as they can identify and report the strengths and the weaknesses, the successes and the failures, and the gaps and the risks of the security program, and they can provide the recommendations and the feedback for the improvement and the enhancement of the security program. Risk elimination, audit requirements, and customer satisfaction are not the primary ways to measure the effectiveness of the security program, as they are related to the impossibility, the necessity, or the quality of the security program, not the evaluation or the assessment of the security program. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 39. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 54.

A data retention policy is a document that specifies the rules and guidelines for how long and under what conditions an organization should retain its data. The main goal of a data retention policy is to ensure the integrity and confidentiality of data for a predetermined amount of time. Integrity means that the data is accurate, complete, and consistent, and that it has not been modified or corrupted by unauthorized parties. Confidentiality means that the data is protected from unauthorized access or disclosure, and that it respects the privacy and security of the data owners or subjects. A data retention policy can help an organization to comply with the legal or regulatory requirements, to support the business or operational needs, and to reduce the storage or management costs of the data. Ensuring that data is destroyed properly, ensuring that data recovery can be done on the data, and ensuring the availability of data for a predetermined amount of time are not the main goals of a data retention policy, as they are related to the disposal, restoration, or accessibility of the data, not the integrity or confidentiality of the data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 49. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 64.

 The action that an organization that shares card holder information with a service provider must do when dealing with compliance with the Payment Card Industry-Data Security Standard (PCI-DSS) is to validate the service provider’s PCI-DSS compliance status on a regular basis. PCI-DSS is a set of security standards that applies to any organization that stores, processes, or transmits card holder data, such as credit or debit card information. PCI-DSS aims to protect the card holder data from unauthorized access, use, disclosure, or theft, and to ensure the security and integrity of the payment transactions. If an organization shares card holder data with a service provider, such as a payment processor, a hosting provider, or a cloud provider, the organization is still responsible for the security and compliance of the card holder data, and must ensure that the service provider also meets the PCI-DSS requirements. The organization must validate the service provider’s PCI-DSS compliance status on a regular basis, by obtaining and reviewing the service provider’s PCI-DSS assessment reports, such as the Self-Assessment Questionnaire (SAQ), the Report on Compliance (ROC), or the Attestation of Compliance (AOC). Performing a service provider PCI-DSS assessment on a yearly basis, validating that the service provider’s security policies are in alignment with those of the organization, and ensuring that the service provider updates and tests its Disaster Recovery Plan (DRP) on a yearly basis are not the actions that an organization that shares card holder information with a service provider must do when dealing with compliance with PCI-DSS, as they are not sufficient or relevant to verify the service provider’s PCI-DSS compliance status or to protect the card holder data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 49. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 64.

The primary security concern as staff is released from the organization is the loss of data and separation of duties. The loss of data is the event or the situation where the data is deleted, corrupted, stolen, or leaked by the staff who are leaving the organization, either intentionally or unintentionally, and where the data is no longer available or recoverable by the organization. The loss of data can compromise the confidentiality, the integrity, and the availability of the data, and can cause damage or harm to the organization’s operations, reputation, or objectives. The separation of duties is the principle or the practice of dividing the tasks or the responsibilities among different staff or roles, to prevent or reduce the conflicts of interest, the collusion, the fraud, or the errors. The separation of duties can be compromised when the staff is released from the organization, as it can create the gaps or the overlaps in the tasks or the responsibilities, and it can increase the risk of the unauthorized or the malicious access or activity. Inadequate IT support, undocumented security controls, and additional responsibilities for remaining staff are not the primary security concerns as staff is released from the organization, as they are related to the quality, the transparency, or the workload of the IT operations, not the loss of data or the separation of duties. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 29. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 44.

The primary security concern for an organization that publishes and periodically updates its employee policies in a file on their intranet is integrity. Integrity is the property that ensures that the data or the information is accurate, complete, consistent, and authentic, and that it has not been modified, altered, or corrupted by unauthorized or malicious parties. Integrity is a primary security concern for the employee policies file on the intranet, as it can affect the compliance, trust, and reputation of the organization, and the rights and responsibilities of the employees. The employee policies file must reflect the current and valid policies of the organization, and must not be changed or tampered with by anyone who is not authorized or qualified to do so. Availability, confidentiality, and ownership are not the primary security concerns for the employee policies file on the intranet, as they are related to the accessibility, protection, or attribution of the data or the information, not the accuracy or the authenticity of the data or the information. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 20. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 33.

The plan must include employee education in order to reduce client-side exploitation. Employee education is a process of providing the employees with the necessary knowledge, skills, and awareness to follow the security policies and procedures, and to prevent or avoid the common security threats or risks, such as client-side exploitation. Client-side exploitation is a type of attack that targets the vulnerabilities or weaknesses of the client applications or systems, such as web browsers, email clients, or media players, and that can compromise the client data or functionality, or allow the attacker to gain access to the network or the server. Employee education can help to reduce client-side exploitation by teaching the employees how to recognize and avoid the malicious or suspicious links, attachments, or downloads, how to update and patch their client applications or systems, how to use the security tools or features, such as antivirus or firewall, and how to report or respond to any security incidents or breaches. Approved web browsers, network firewall procedures, and proxy configuration are not the plan components that must be included in order to reduce client-side exploitation, as they are related to the technical or administrative controls or measures, not the human or behavioral factors, that can affect the client-side security. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 47. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 62.

A synchronous token is a hardware device that generates and displays a one-time password (OTP) that changes at fixed intervals, usually based on a clock or a counter. The OTP is synchronized with the authentication server, and the user must enter the OTP within a certain time window to log in. This is an example of single factor authentication based on something the user has (the token). The other options are not correct, as they either do not match the description of the token (A and B), or do not specify the type of token ©. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 331; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, page 387.

The type of attack that embedded systems may be prone to without proper signal protection is information disclosure. Information disclosure is a type of attack that exposes or reveals sensitive or confidential information to unauthorized parties, such as attackers, competitors, or the public. Information disclosure can occur through various means, such as interception, leakage, or theft of the information. Embedded systems are systems that are integrated into other devices or machines, such as cars, medical devices, or industrial controllers, and perform specific functions or tasks. Embedded systems may communicate with other systems or devices through signals, such as radio frequency, infrared, or sound waves. Without proper signal protection, such as encryption, authentication, or shielding, embedded systems may be vulnerable to information disclosure, as the signals may be captured, analyzed, or modified by attackers, and the information contained in the signals may be compromised. Brute force, tampering, and denial of service are not the types of attack that embedded systems may be prone to without proper signal protection, as they are related to the guessing, alteration, or prevention of the access or functionality of the systems, not the exposure or revelation of the information. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, Security Architecture and Engineering, page 311. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, Security Architecture and Engineering, page 327.

The attribute of the data that has been compromised, if it is discovered that large quantities of information have been copied by the unauthorized individual, is the confidentiality. The confidentiality is the property or the characteristic of the data that ensures that the data is only accessible or disclosed to the authorized individuals or entities, and that the data is protected from the unauthorized or the malicious access or disclosure. The confidentiality of the data can be compromised when the data is copied, stolen, leaked, or exposed by an unauthorized individual or a malicious actor, such as the one who accessed the system hosting the database. The compromise of the confidentiality of the data can violate the privacy, the rights, or the interests of the data owners, subjects, or users, and can cause damage or harm to the organization’s operations, reputation, or objectives. Availability, integrity, and accountability are not the attributes of the data that have been compromised, if it is discovered that large quantities of information have been copied by the unauthorized individual, as they are related to the accessibility, the accuracy, or the responsibility of the data, not the secrecy or the protection of the data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, Security Architecture and Engineering, page 263. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, Security Architecture and Engineering, page 279.

The best reason to review audit logs periodically is to identify anomalies in use patterns that may indicate unauthorized or malicious activities, such as intrusion attempts, data breaches, policy violations, or system errors. Audit logs record the events and actions that occur on a system or network, and can provide valuable information for security analysis, investigation, and response. The other options are not as good as identifying anomalies, as they either do not relate to security (B), or are not the primary purpose of audit logs (A and D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 405; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, page 465.

The primary reason for ethics awareness and related policy implementation is to affect the reputation of an organization positively, by demonstrating its commitment to ethical principles, values, and standards in its business practices, services, and products. Ethics awareness and policy implementation can also help the organization avoid legal liabilities, fines, or sanctions for unethical conduct, and foster trust and loyalty among its customers, partners, and employees. The other options are not as important as affecting the reputation, as they either do not directly relate to ethics (A), or are secondary outcomes of ethics (C and D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 19; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 28.

The main feature that onion routing networks offer is anonymity. Anonymity is the state of being unknown or unidentifiable by hiding or masking the identity or the location of the sender or the receiver of a communication. Onion routing is a technique that enables anonymous communication over a network, such as the internet, by encrypting and routing the messages through multiple layers of intermediate nodes, called onion routers. Onion routing can protect the privacy and security of the users or the data, and can prevent censorship, surveillance, or tracking by third parties. Non-repudiation, traceability, and resilience are not the main features that onion routing networks offer, as they are related to the proof, tracking, or recovery of the communication, not the anonymity of the communication. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 467. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 483.

The following information classification steps should be placed in sequential order as follows:

Document the information assets

Assign a classification level

Apply the appropriate security markings

Conduct periodic classification reviews

Declassify information when appropriate

 Information classification is a process or a method of categorizing the information assets based on their sensitivity, criticality, or value, and applying the appropriate security controls or measures to protect them. Information classification can help to ensure the confidentiality, the integrity, and the availability of the information assets, and to support the security, the compliance, or the business objectives of the organization. The information classification steps are the activities or the tasks that are involved in the information classification process, and they should be performed in a sequential order, as follows:

Document the information assets: This step involves identifying, inventorying, and describing the information assets that are owned, used, or managed by the organization, such as the data, the documents, the records, or the media. This step can help to determine the scope, the ownership, or the characteristics of the information assets, and to prepare for the next steps of the information classification process.

Assign a classification level: This step involves assigning a classification level or a label to each information asset, based on the sensitivity, the criticality, or the value of the information asset, and the impact or the consequence of the unauthorized or the malicious access, disclosure, modification, or destruction of the information asset. The classification level or the label can indicate the degree or the extent of the security protection or the handling that the information asset requires, such as the confidentiality, the integrity, or the availability. The classification level or the label can vary depending on the organization’s policies, standards, or regulations, but some common examples are public, internal, confidential, or secret.

Apply the appropriate security markings: This step involves applying the appropriate security markings or indicators to the information assets, based on the classification level or the label of the information assets. The security markings or indicators can include the visual, the physical, or the electronic symbols, signs, or codes that show the classification level or the label of the information assets, such as the banners, the headers, the footers, the stamps, the stickers, the tags, or the metadata. The security markings or indicators can help to communicate, inform, or remind the users or the entities of the security protection or the handling that the information assets require, and to prevent or reduce the risk of the unauthorized or the malicious access, disclosure, modification, or destruction of the information assets.

Conduct periodic classification reviews: This step involves conducting periodic classification reviews or assessments of the information assets, to ensure that the classification level or the label and the security markings or indicators of the information assets are accurate, consistent, and up-to-date. The periodic classification reviews or assessments can be triggered by the changes or the events that affect the sensitivity, the criticality, or the value of the information assets, such as the business needs, the legal requirements, the security incidents, or the data lifecycle. The periodic classification reviews or assessments can help to verify, validate, or update the classification level or the label and the security markings or indicators of the information assets, and to maintain or improve the security protection or the handling of the information assets.

Declassify information when appropriate: This step involves declassifying or downgrading the information assets when appropriate, to reduce or remove the security protection or the handling that the information assets require, based on the sensitivity, the criticality, or the value of the information assets, and the impact or the consequence of the unauthorized or the malicious access, disclosure, modification, or destruction of the information assets. The declassification or the downgrade of the information assets can be triggered by the changes or the events that affect the sensitivity, the criticality, or the value of the information assets, such as the expiration, the disposal, the release, or the transfer of the information assets. The declassification or the downgrade of the information assets can help to optimize, balance, or streamline the security protection or the handling of the information assets, and to support the security,

 Side channel attacks are a type of attack that exploit the physical characteristics of a system, such as power consumption, electromagnetic radiation, timing, sound, or temperature, to extract sensitive information. Secure startup mechanisms, such as secure boot or trusted boot, are primarily designed to thwart these types of attacks by verifying the integrity and authenticity of the system components before loading them into memory. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Security Architecture and Design, p. 201; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Architecture and Engineering, p. 331.

Automated application security testing tools are software tools that can scan, analyze, and test the code of an application for vulnerabilities, errors, or flaws. The primary advantage of using these tools is that they can test large amounts of code using fewer resources, such as time, money, and human effort, than manual testing. This can improve the efficiency, effectiveness, and coverage of the testing process. The application can be protected in the production environment, the application will fail less when tested using these tools, and detailed testing of code functions can be performed are all possible outcomes of using automated application security testing tools, but they are not the primary advantage of using them. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1017. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1039.