Free Practice Questions for ISC CISSP Exam

An Electronic Access Control (EAC) token is best known for its ability to overcome the problems of key assignments in a physical security system. An EAC token is a device that can be used to authenticate a user or grant access to a physical area or resource, such as a door, a gate, or a locker2. An EAC token can be a smart card, a magnetic stripe card, a proximity card, a key fob, or a biometric device. An EAC token can overcome the problems of key assignments, which are the issues or challenges of managing and distributing physical keys to authorized users, such as lost, stolen, duplicated, or unreturned keys. An EAC token can provide more security, convenience, and flexibility than a physical key, as it can be easily activated, deactivated, or replaced, and it can also store additional information or perform other functions. Monitoring the opening of windows and doors, triggering alarms when intruders are detected, and locking down a facility during an emergency are not the abilities that an EAC token is best known for, as they are more related to the functions of other components of a physical security system, such as sensors, alarms, or locks. References: 2: CISSP For Dummies, 7th Edition, Chapter 9, page 253.

The Structured Query Language (SQL) implements Discretionary Access Controls (DAC) using the GRANT and REVOKE commands. DAC is a type of access control that allows the owner or creator of an object, such as a table, view, or procedure, to grant or revoke permissions to other users or roles. For example, a user can grant SELECT, INSERT, UPDATE, or DELETE privileges to another user on a specific table, or revoke them if needed34. References: 3: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 4134: CISSP For Dummies, 7th Edition, Chapter 4, page 123.

The best practice for implementing a change to a database schema in a production system is to follow a change management process that includes the following steps: Change in development, perform user acceptance testing, develop a back-out strategy, and implement change. This ensures that the change is properly tested, approved, documented, and communicated, and that there is a contingency plan in case of failure or unexpected results12. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 8232: CISSP For Dummies, 7th Edition, Chapter 8, page 263.

 The best response to the auditor is to demonstrate that the system enforces the password policy and does not allow non-compliant passwords to be created. This way, the auditor can verify the compliance without compromising the confidentiality or integrity of the encrypted passwords. Providing the encrypted passwords and analysis tools to the auditor (A) may expose the passwords to unauthorized access or modification. Analyzing the encrypted passwords for the auditor and showing them the results (B) may not be sufficient to convince the auditor of the compliance, as the results could be manipulated or falsified. Demonstrating that non-compliant passwords cannot be encrypted in the system (D) is not a valid response, as encryption does not depend on the compliance of the passwords. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 241; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, page 303.

Granularity is the degree of detail or precision that an access control system can provide. A granular access control system can specify different levels of access for different users, groups, resources, or conditions. For example, a granular firewall can allow or deny traffic based on the source, destination, port, protocol, time, or other criteria

Network Address Translation (NAT) is the most effective method for obscuring network addresses from external exposure when implemented on a firewall or router. NAT is a technique that allows a device, such as a firewall or a router, to modify the source or destination IP address of a packet as it passes through the device3. NAT can be used to hide the internal IP addresses of a network from the external network, such as the internet, by replacing them with a public IP address. This can enhance the security and privacy of the network, as well as conserve the limited IPv4 address space. Application proxy, RIP version 2, and address masking are not methods for obscuring network addresses from external exposure, as they are either related to different functions or not implemented on a firewall or router. References: 3: Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 4, page 196. : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 413.

Permission is the type of authorized interactions a subject can have with an object. Permission is a rule or a setting that defines the specific actions or operations that a subject can perform on an object, such as read, write, execute, or delete1. Permission is usually granted by the owner or the administrator of the object, and can be based on the identity, role, or group membership of the subject. Control, procedure, and protocol are not types of authorized interactions a subject can have with an object, as they are related to different aspects of access control or security. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 355.

A vulnerability test is a type of security assessment that identifies and analyzes the security weaknesses in an information system. The purpose of a vulnerability test is to evaluate the effectiveness of security controls and to provide recommendations for improvement. A vulnerability test does not exploit the security weaknesses or measure the system performance. A vulnerability test is also different from a penetration test, which is a type of security assessment that attempts to exploit the security weaknesses and gain unauthorized access to the system. A vulnerability test is also not related to disaster recovery planning, which is a process of preparing for and recovering from a disruptive event that affects the availability of an information system. 

 The best method of demonstrating a company’s security level to potential customers is a report from an external auditor, who is an independent and qualified third party that evaluates the company’s security policies, procedures, controls, and practices against a set of standards or criteria, such as ISO 27001, NIST, or COBIT. A report from an external auditor provides an objective and credible assessment of the company’s security posture, and may also include recommendations for improvement or certification . References: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 47. : CISSP For Dummies, 7th Edition, Chapter 1, page 29.

A trojan horse is a type of malware that masquerades as a legitimate program or file, but performs malicious actions in the background. A trojan horse may open unauthorized ports on the infected system, allowing remote access or communication by the attacker or other malware12. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 6432: CISSP For Dummies, 7th Edition, Chapter 6, page 189.

The first security action that should be taken when computer personnel are terminated from their jobs is to remove their computer access. Computer access is the ability to log in, use, or modify the computer systems, networks, or data of the organization3. Removing computer access can prevent the terminated personnel from accessing or harming the organization’s information assets, or from stealing or leaking sensitive or confidential data. Removing computer access can also reduce the risk of insider threats, such as sabotage, fraud, or espionage. Requiring them to turn in their badge, conducting an exit interview, and reducing their physical access level to the facility are also important security actions that should be taken when computer personnel are terminated from their jobs, but they are not as urgent or critical as removing their computer access. References: 3: Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 5, page 249.

Network bandwidth is the least important consideration when considering transmission security, as it is more related to the performance or efficiency of the network, rather than the security or protection of the data. Network bandwidth is the amount of data that can be transmitted or received over a network in a given time period, and it can affect the speed or quality of the communication1. However, network bandwidth does not directly impact the confidentiality, integrity, or availability of the data, which are the main goals of transmission security. Network availability, data integrity, and node locations are more important considerations when considering transmission security, as they can affect the ability to access, verify, or protect the data from unauthorized or malicious parties. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 402.

The first step in developing a security test and its evaluation is to identify all applicable security requirements. Security requirements are the specifications or criteria that define the security objectives, expectations, and needs of the system or network. Security requirements may be derived from various sources, such as business goals, user needs, regulatory standards, contractual obligations, or best practices. Identifying all applicable security requirements is essential to establish the scope, purpose, and criteria of the security test and its evaluation. Determining testing methods, developing testing procedures, and identifying people, processes, and products not in compliance are subsequent steps that should be done after identifying the security requirements, as they depend on the security requirements to be defined and agreed upon. References: : Security Testing - Overview : Security Testing - Planning

Copyright is a form of intellectual property that grants the author or creator of an original work the exclusive right to reproduce, distribute, perform, display, or license the work. Copyright does not protect ideas, concepts, facts, discoveries, or methods, but only the particular expression of an idea in a tangible medium, such as a book, a song, a painting, or a software program12. References: 1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, page 2872: CISSP For Dummies, 7th Edition, Chapter 3, page 87.