Free Practice Questions for ISC CISSP Exam

The best description of the responsibilities of a data owner is determining the impact the information has on the mission of the organization. A data owner is a person or entity that has the authority and accountability for the creation, collection, processing, and disposal of a set of data. A data owner is also responsible for defining the purpose, value, and classification of the data, as well as the security requirements and controls for the data. A data owner should be able to determine the impact the information has on the mission of the organization, which means assessing the potential consequences of losing, compromising, or disclosing the data. The impact of the information on the mission of the organization is one of the main criteria for data classification, which helps to establish the appropriate level of protection and handling for the data.

The other options are not the best descriptions of the responsibilities of a data owner, but rather the responsibilities of other roles or functions related to data management. Ensuring quality and validation through periodic audits for ongoing data integrity is a responsibility of a data steward, who is a person or entity that oversees the quality, consistency, and usability of the data. Maintaining fundamental data availability, including data storage and archiving is a responsibility of a data custodian, who is a person or entity that implements and maintains the technical and physical security of the data. Ensuring accessibility to appropriate users, maintaining appropriate levels of data security is a responsibility of a data controller, who is a person or entity that determines the purposes and means of processing the data.

The passage of time is one of the factors that affects the classification of data. Data classification is the process of assigning a level of sensitivity or criticality to data based on its value, impact, and legal requirements. Data classification helps to determine the appropriate security controls and handling procedures for the data. However, data classification is not static, but dynamic, meaning that it can change over time depending on various factors. One of these factors is the passage of time, which can affect the relevance, usefulness, or sensitivity of the data. For example, data that is classified as confidential or secret at one point in time may become obsolete, outdated, or declassified at a later point in time, and thus require a lower level of protection. Conversely, data that is classified as public or unclassified at one point in time may become more valuable, sensitive, or regulated at a later point in time, and thus require a higher level of protection. Therefore, data classification should be reviewed and updated periodically to reflect the changes in the data over time.

The other options are not factors that affect the classification of data, but rather the outcomes or components of data classification. Assigned security label is the result of data classification, which indicates the level of sensitivity or criticality of the data. Multilevel Security (MLS) architecture is a system that supports data classification, which allows different levels of access to data based on the clearance and need-to-know of the users. Minimum query size is a parameter that can be used to enforce data classification, which limits the amount of data that can be retrieved or displayed at a time.

 When assigning ownership of an asset to a department, the most important factor is to ensure individual accountability for the asset. Individual accountability means that each person who has access to or uses the asset is responsible for its protection and proper handling. Individual accountability also implies that each person who causes or contributes to a security breach or incident involving the asset can be identified and held liable. Individual accountability can be achieved by implementing security controls such as authentication, authorization, auditing, and logging.

The other options are not as important as ensuring individual accountability, as they do not directly address the security risks associated with the asset. The department should report to the business owner is a management issue, not a security issue. Ownership of the asset should be periodically reviewed is a good practice, but it does not prevent misuse or abuse of the asset. All members should be trained on their responsibilities is a preventive measure, but it does not guarantee compliance or enforcement of the responsibilities.

Asymmetric Card Authentication Key (CAK) challenge-response is an effective control in preventing electronic cloning of RFID based access cards. RFID based access cards are contactless cards that use radio frequency identification (RFID) technology to communicate with a reader and grant access to a physical or logical resource. RFID based access cards are vulnerable to electronic cloning, which is the process of copying the data and identity of a legitimate card to a counterfeit card, and using it to impersonate the original cardholder and gain unauthorized access. Asymmetric CAK challenge-response is a cryptographic technique that prevents electronic cloning by using public key cryptography and digital signatures to verify the authenticity and integrity of the card and the reader. Asymmetric CAK challenge-response works as follows:

The card and the reader each have a pair of public and private keys, and the public keys are exchanged and stored in advance.

When the card is presented to the reader, the reader generates a random number (nonce) and sends it to the card.

The card signs the nonce with its private key and sends the signature back to the reader.

The reader verifies the signature with the card’s public key and grants access if the verification is successful.

The card also verifies the reader’s identity by requesting its signature on the nonce and checking it with the reader’s public key.

Asymmetric CAK challenge-response prevents electronic cloning because the private keys of the card and the reader are never transmitted or exposed, and the signatures are unique and non-reusable for each transaction. Therefore, a cloned card cannot produce a valid signature without knowing the private key of the original card, and a rogue reader cannot impersonate a legitimate reader without knowing its private key.

The other options are not as effective as asymmetric CAK challenge-response in preventing electronic cloning of RFID based access cards. Personal Identity Verification (PIV) is a standard for federal employees and contractors to use smart cards for physical and logical access, but it does not specify the cryptographic technique for RFID based access cards. Cardholder Unique Identifier (CHUID) authentication is a technique that uses a unique number and a digital certificate to identify the card and the cardholder, but it does not prevent replay attacks or verify the reader’s identity. Physical Access Control System (PACS) repeated attempt detection is a technique that monitors and alerts on multiple failed or suspicious attempts to access a resource, but it does not prevent the cloning of the card or the impersonation of the reader.

Identity as a Service (IDaaS) is the best contract in offloading the task of account management from the IT staff. IDaaS is a cloud-based service that provides identity and access management (IAM) functions, such as user authentication, authorization, provisioning, deprovisioning, password management, single sign-on (SSO), and multifactor authentication (MFA). IDaaS can help the organization to streamline and automate the account management process, reduce the workload and costs of the IT staff, and improve the security and compliance of the user accounts. IDaaS can also support the contractors who have limited onsite time, as they can access the organization’s resources remotely and securely through the IDaaS provider.

The other options are not as effective as IDaaS in offloading the task of account management from the IT staff, as they do not provide IAM functions. Platform as a Service (PaaS) is a cloud-based service that provides a platform for developing, testing, and deploying applications, but it does not manage the user accounts for the applications. Desktop as a Service (DaaS) is a cloud-based service that provides virtual desktops for users to access applications and data, but it does not manage the user accounts for the virtual desktops. Software as a Service (SaaS) is a cloud-based service that provides software applications for users to use, but it does not manage the user accounts for the software applications.

 A secure digital signature is a cryptographic technique that verifies the authenticity and integrity of a message or document. A secure digital signature requires a private key that is known only to the signer and a public key that is available to anyone who wants to verify the signature. A Trusted Platform Module (TPM) is a hardware device that securely stores cryptographic keys, such as the private key for digital signatures. A TPM can also perform cryptographic operations, such as generating, signing, and verifying digital signatures. A TPM can prevent unauthorized access or tampering with the keys and the application that uses them. A TPM can also provide attestation, which is the ability to prove that the application has not been modified or compromised. The other options do not address the requirement of checking for a secure digital signature before the application is accessed on a user’s laptop. Hardware encryption is a technique that encrypts data using a hardware device, such as a USB drive or a hard disk. Hardware encryption does not verify the authenticity or integrity of the data or the application. A certificate revocation list (CRL) policy is a set of rules that defines how to check the validity of digital certificates, which are electronic documents that bind a public key to an identity. A CRL policy does not verify the digital signature itself, but rather the certificate that contains the public key. A key exchange is a process that allows two parties to securely establish a shared secret key over an insecure channel, such as the internet. A key exchange does not verify the digital signature, but rather enables the encryption and decryption of the data or the application. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Security Engineering, pp. 240-241, 246-247; CISSP Practice Exam – FREE 20 Questions and Answers, Question 17

The most important factor when determining appropriate countermeasures for an identified risk is the organizational risk tolerance, which is the level of risk that the organization is willing to accept or reject. The risk tolerance reflects the organization’s mission, objectives, culture, and values, and influences the selection and implementation of security controls. The risk tolerance also helps to balance the cost and benefit of the countermeasures, as well as the interaction with existing controls and the availability of patches. References: CISSP domain 1: Security and risk management, Risk management concepts and the CISSP (part 1), Learn About the Different Types of Risk Analysis in CISSP, Risk Response, countermeasures, considerations and controls, The 8 CISSP Domains Explained

One of the steps that can be taken to prepare personally identifiable information (PII) for processing by a third party is to maintain the personal information separately connected with a one-way reference. PII is any information that can be used to identify, contact, or locate a specific individual, such as name, address, phone number, email, or social security number. PII should be protected from unauthorized access, use, or disclosure, especially when it is processed by a third party, such as a cloud service provider, a data processor, or a business partner. One of the ways to protect PII is to separate the personal information from the other data, and connect them with a one-way reference, such as a hash or a token. This can reduce the risk of exposing the personal information to the third party, as well as prevent the re-identification of the individual from the other data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 223; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5: Identity and Access Management, page 312]

A cold site is a type of backup site that provides the basic infrastructure, such as power, climate control, raised flooring, and telephone wiring, but not the computer and peripheral equipment. A cold site requires a longer recovery time than a warm site or a hot site, as the equipment and data need to be transported and installed at the site. A warm site is a backup site that has some of the equipment and data ready, but not fully operational. A hot site is a backup site that has all the equipment and data ready, and can be switched on immediately. A reciprocal site is an agreement between two organizations to use each other’s facilities in case of a disaster. References: [CISSP CBK Reference, 5th Edition, Chapter 7, page 365]; [CISSP All-in-One Exam Guide, 8th Edition, Chapter 7, page 345]

SAML is an XML-based standard for exchanging authentication and authorization data between different parties, such as a service provider and an identity provider. SAML enables single sign-on (SSO) for web applications, which means that users can access multiple services with one set of credentials. SAML also improves security by not passing the users’ password during authentication, but instead using assertions that contain information about the user’s identity and attributes. SAML assertions are digitally signed and encrypted to ensure their integrity and confidentiality. SAML does not use TLS to address confidentiality, although it can be used as an additional layer of protection. SAML does not limit unnecessary data entry on web forms, although it can reduce the need for users to enter their credentials repeatedly. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 291. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 5: Identity and Access Management (IAM), page 609.

Network Access Control (NAC) is a solution that verifies the security posture and compliance of endpoints before granting them access to the network. NAC can check the endpoint security protections, such as antivirus, firewall, patch level, and OS version, and enforce policies based on the results. NAC can also quarantine or remediate non-compliant endpoints to prevent them from compromising the network security. NAC is the best solution to implement among the given options, as it provides both verification and enforcement of endpoint security. An intrusion prevention system (IPS) is a device that monitors network traffic and blocks or alerts on malicious or suspicious activities. An IPS does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. An IPS is a reactive rather than proactive solution. A firewall is a device that controls the network traffic based on predefined rules. A firewall does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. A firewall is a preventive rather than detective solution. An intrusion detection system (IDS) is a device that monitors network traffic and alerts on malicious or suspicious activities. An IDS does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. An IDS is a passive rather than active solution. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Security Assessment and Testing, p. 518-519. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 451-452.

The most common attack leveraged against this flaw is that the attacker forges requests to authenticate as a different user. SAML is a standard that enables the exchange of authentication and authorization data between different security domains, such as a service provider and an identity provider. SAML uses XML-based messages, called assertions, to convey the information about the identity, attributes, and entitlements of a user. SAML enables single sign-on (SSO), which is a feature that allows a user to access multiple services or applications with a single login session. A flaw in the SAML implementation or configuration could allow an attacker to spoof a registered account on the network and query the SAML provider. The most common attack leveraged against this flaw is that the attacker forges requests to authenticate as a different user, by manipulating or tampering with the SAML assertions. For example, the attacker could modify the user identifier, the timestamp, the signature, or the encryption of the SAML assertion, and use it to impersonate or access another user’s account or privileges. This attack could compromise the security and integrity of the SAML-based SSO system, and allow the attacker to access the sensitive or confidential data or resources of the service provider or the identity provider. References: CISSP All-in-One Exam Guide, Chapter 5: Identity and Access Management, Section: Federated Identity Management, pp. 427-428.

A denial of service (DoS) attack is an attempt to prevent legitimate users from accessing a service or a resource by overwhelming it with malicious traffic or requests. A hacker can use a lockout capability to start a DoS attack by repeatedly sending invalid authentication attempts to a system or an application that has a policy of locking out accounts after a certain number of failed attempts. This can result in locking out legitimate users from accessing the system or the application, or consuming the system’s resources and slowing down its performance. A dictionary attack is a type of brute force attack that tries to guess passwords or encryption keys by using a list of common or likely words. A ping flood attack is a type of DoS attack that sends a large number of ping packets to a target system, hoping to consume its bandwidth or processing power. A man-in-the-middle (MITM) attack is a type of attack that intercepts and alters the communication between two parties, without their knowledge or consent. References: CISSP CBK Reference, 5th Edition, Chapter 6, page 323; CISSP All-in-One Exam Guide, 8th Edition, Chapter 6, page 293

The role that provides the authoritative guidance for the transfer of project-related Controlled Unclassified Information (CUI) between systems of differing security classifications is the mission/business owner. The mission/business owner is the person or the entity that has the authority and the responsibility for the mission or the business function that requires the use of the CUI. The mission/business owner should determine the security requirements, the classification levels, the dissemination controls, and the transfer procedures for the CUI, in accordance with the relevant laws, regulations, and standards. The mission/business owner should also coordinate with the information owner, the data custodian, and the project manager to ensure the proper handling and protection of the CUI. The information owner is the person or the entity that has the authority and the responsibility for the creation, collection, processing, or dissemination of the information, such as the CUI. The information owner should assign the security classification and the access permissions for the information, and delegate the operational tasks to the data custodian. The data custodian is the person or the entity that has the authority and the responsibility for the storage, maintenance, and protection of the information, such as the CUI. The data custodian should implement the security controls and the backup and recovery procedures for the information, and follow the instructions of the information owner and the mission/business owner. The project manager is the person or the entity that has the authority and the responsibility for the planning, execution, monitoring, and closure of the project that involves the use of the information, such as the CUI. The project manager should coordinate with the project team, the stakeholders, and the sponsors to ensure the successful delivery of the project, and comply with the security requirements and the transfer procedures for the information, as defined by the mission/business owner and the information owner. References: [CISSP CBK Reference, 5th Edition, Chapter 1, page 19]; [CISSP All-in-One Exam Guide, 8th Edition, Chapter 1, page 13]

The patch should be applied first to the lower environment, before being applied to the higher environments, such as the server, desktop, or production environment. The lower environment is the environment that is used for testing, development, or staging purposes, and that is isolated from the higher environments, which are used for operational, functional, or live purposes. The lower environment is the best place to apply the patch first, as it can help to verify the functionality, compatibility, and security of the patch, and to identify and resolve any issues or errors that may arise from the patch. Applying the patch to the lower environment first can help to minimize the risk and impact of the patch to the higher environments, and to ensure the quality and reliability of the patch . References: [CISSP CBK, Fifth Edition, Chapter 6, page 568]; [CISSP Practice Exam – FREE 20 Questions and Answers, Question 16].