CISSP - Certified Information Systems Security Professional Exam Preparation Study Guide

CISSP - Certified Information Systems Security Professional Exam Preparation

Advance your cybersecurity career with the CISSP certification. Achieving CISSP demonstrates your ability to design, implement, and manage top-tier cybersecurity programs.

Achieve success in your CISSP Exam on the first try with our new and exclusive preparation book.

This comprehensive resource is designed to help you test your knowledge, providing a collection of the latest questions with detailed explanations and official references.

Save both time and money by investing in this book, which covers all the topics included in the CISSP Exam.

This book includes two full-length, highly important practice tests, each with 125 questions, for a total of 250 questions. It also provides detailed explanations for each question and official reference links.

Dedicate your effort to mastering these CISSP Exam questions, as they offer up-to-date information on the entire exam syllabus.

This book is strategically crafted to not only assess your knowledge and skills but also to boost your confidence for the real exam.

With a focus on thorough preparation, passing the official CISSP Exam on your first attempt becomes achievable through diligent study of these valuable resources.

By earning the CISSP, you validate your expertise and gain ISC2 membership, granting access to exclusive resources, educational tools, and peer networking opportunities.

Showcase your skills, boost your career, achieve the salary you desire, and join a community of cybersecurity leaders dedicated to supporting your professional journey.

WHAT TO EXPECT ON THE CISSP EXAM:

Domain 1. Security and Risk Management (16%)

Domain 2. Asset Security (10%)

Domain 3. Security Architecture and Engineering (13%)

Domain 4. Communication and Network Security (13%)

Domain 5. Identity and Access Management (IAM) (13%)

Domain 6. Security Assessment and Testing (12%)

Domain 7. Security Operations (13%)

Domain 8. Software Development Security (10%)

About the exam:

Length of exam: 3 hours

Number of questions: 100 - 150

Item format: Multiple choice and advanced innovative items.

Passing grade: 700 out of 1000 points

Practice Test I

1) Which of the following could be considered physical assets in an organization's business impact analysis (BIA)?

A. Personal belongings of staff members

B. Disaster recovery (DR) budget allocations

C. Cloud-based applications

D. Supplies stored at an off-site facility

2) When evaluating the audit capabilities of an application, which of the following activities is MOST critical?

A. Identifying procedures for investigating suspicious activity

B. Ensuring audit records contain adequate information

C. Confirming that sufficient storage is allocated for audit logs

D. Reviewing the security plan for actions to take in case of audit failure

3) An organization wants to implement an authorization mechanism that simplifies assigning system access permissions to multiple users with similar job roles. Which type of authorization mechanism would be the BEST choice for the organization to implement?

A. Role-based access control (RBAC)

B. Discretionary access control (DAC)

C. Content-dependent Access Control

D. Rule-based Access Control

4) What is the MAIN challenge in enforcing criminal law when addressing cybercrime?

A. Defining jurisdiction is difficult

B. Law enforcement agencies lack sufficient staffing

C. Extradition treaties are rarely applied

D. There are many language barriers

5) Wi-Fi Protected Access 2 (WPA2) ensures a higher level of data protection for users by utilizing which protocol?

A. Extensible Authentication Protocol (EAP)

B. Internet Protocol Security (IPsec)

C. Secure Sockets Layer (SSL)

D. Secure Shell (SSH)

6) Which component of an operating system is responsible for ensuring security interactions between the hardware, OS, and other parts of the computing system?

A. Reference monitor

B. Trusted Computing Base (TCB)

C. Time separation

D. Security kernel

7) What process helps balance the operational and economic costs of protective measures with the benefits to mission capability?

A. Performance testing

B. Risk assessment

C. Security audit

D. Risk management

8) Clothing retailer employees are given user accounts that grant access to resources at partner businesses. All partners use common identity and access management (IAM) protocols but different technologies. According to the Extended Identity principle, what is the process flow between partner businesses to enable this IAM action?

A. The clothing retailer serves as User Self Service, verifies the user's identity based on industry standards, and sends credentials to partner businesses acting as Service Providers to grant service access.

B. The clothing retailer functions as the identity provider (IdP), verifies the user's identity based on industry standards, and sends credentials to partner businesses acting as Service Providers to grant access to services.

C. The clothing retailer operates as the Service Provider, verifies the user's identity based on industry standards, and sends credentials to partner businesses functioning as identity providers (IdPs) to grant access to resources.

D. The clothing retailer acts as the Access Control Provider, verifies user access based on industry standards, and sends credentials to partner businesses acting as Service Providers to grant access to resources.

9) Which of the following statements BEST explains the principle of least privilege in a cloud environment?

A. Only one cloud administrator is granted access to core functions.

B. All incoming and outgoing internet traffic is inspected at the packet level.

C. Routing configurations are frequently updated with the most current routes.

D. Network segments stay private if they don't need internet access.

10) An organization has accumulated a significant amount of redundant and unusable data, causing the storage area network (SAN) to fill up. Management has asked for a solution to address the ongoing storage issues. What is the BEST technical solution?

A. Compression

B. Caching

C. Replication

D. Deduplication

11) Which Wide Area Network (WAN) technology relies on the first router in the path to determine the complete route that a packet will take, eliminating the need for other routers along the way to make independent routing decisions?

A. Synchronous Optical Networking (SONET)

B. Multiprotocol Label Switching (MPLS)

C. Fiber Channel Over Ethernet (FCoE)

D. Session Initiation Protocol (SIP)

12) Which of the following tools would an information security professional utilize to detect changes in content, especially unauthorized changes?

A. File Integrity Checker

B. Security information and event management (SIEM) system

C. Audit Logs

D. Intrusion detection system (IDS)

13) Which of the following elements is part of change management?

A. Technical review by business owner

B. User Acceptance Testing (UAT) before implementation

C. Cost-benefit analysis (CBA) after implementation

D. Business continuity testing

14) A company participates in a hard drive reuse program where decommissioned equipment is sold back to the vendor when it is no longer needed. The vendor offers a higher payment for functioning drives compared to non-operational equipment. Which data sanitization method would ensure the highest level of security against unauthorized data loss while also maximizing the company's return from the vendor?

A. Pinning

B. Single-pass wipe

C. Multi-pass wipes

D. Degaussing

15) When evaluating vendor certifications related to the handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to have?

A. SOC 1 Type 1

B. SOC 2 Type 1

C. SOC 2 Type 2

D. SOC 3

16) Which type of application is regarded as high risk and serves as a common entry point for malware and viruses into a network?

A. Instant messaging or chat applications

B. Peer-to-Peer (P2P) file sharing applications

C. E-mail applications

D. End-to-end applications

17) An organization aims to incorporate mobile devices into its asset management system for improved tracking. In which tier of the reference architecture would mobile devices be monitored?

A. 0

B. 1

C. 2

D. 3

18) Which of the following is the MOST effective method for safeguarding an organization's data assets?

A. Encrypt data both in transit and at rest using current cryptographic algorithms.

B. Monitor and enforce compliance with security policies.

C. Implement Multi-Factor Authentication (MFA) and Separation of Duties (SoD).

D. Establish a Demilitarized Zone (DMZ) using proxies, firewalls, and hardened bastion hosts.

19) In a large organization, which business unit is MOST effectively positioned to initiate the provisioning and deprovisioning of user accounts?

A. Training department

B. Internal audit

C. Human resources

D. Information technology (IT)

20) What is the MAIN purpose of installing a mantrap in a facility?

A. Control traffic

B. Control air flow

C. Prevent piggybacking

D. Prevent rapid movement

21) In the Do phase of the Plan-Do-Check-Act model, which of the following is carried out?

A. Sustain and enhance the Business Continuity Management (BCM) system by implementing corrective measures based on findings from management review.

B. Track and assess performance against the business continuity policy and objectives, provide the results to management for evaluation, and decide on actions for remediation and improvement.

C. Confirm that the business continuity policy, controls, processes, and procedures have been implemented.

D. Ensure that business continuity policies, objectives, targets, controls, processes, and procedures essential for improving business continuity have been established.

22) What industry-recognized document could serve as a baseline reference for data security, business operations, or conducting a security assessment?

A. Service Organization Control (SOC) 1 Type 2

B. Service Organization Control (SOC) 1 Type 1

C. Service Organization Control (SOC) 2 Type 2

D. Service Organization Control (SOC) 2 Type 1

23) A criminal organization is preparing to attack a government network. Which of the following scenarios poses the HIGHEST risk to the organization?

A. The organization loses control over its network devices.

B. The attacker overwhelms the network with excessive communication traffic.

C. Communications for network management are interrupted.

D. The attacker gains access to sensitive information about the network's structure.

24) Which type of report requires a service organization to outline its system and define its control objectives and controls relevant to users' internal controls over financial reporting?

A. Statement on Auditing Standards (SAS) 70

B. Service Organization Control 1 (SOC1)

C. Service Organization Control 2 (SOC2)

D. Service Organization Control 3 (SOC3)

25) Which of the following is the MOST EFFECTIVE method for validating secure coding techniques against injection and overflow attacks?

A. Conducting scheduled team reviews of coding practices and techniques for identifying vulnerability patterns

B. Regularly utilizing production code routines from similar applications that are already in use

C. Employing automated tools to test for the latest recognized vulnerability patterns

D. Keeping code editing tools updated to address known vulnerability patterns

26) When addressing ethical conflicts, the information security professional must take into account various factors. In what order should these considerations be prioritized?

A. Safety of the public, obligations to individuals, obligations to the profession, and obligations to principals

B. Safety of the public, obligations to principals, obligations to the profession, and obligations to individuals

C. Safety of the public, obligations to principals, obligations to individuals, and obligations to the profession

D. Safety of the public, obligations to the profession, obligations to principals, and obligations to individuals

27) Which service management process MOST effectively assists information technology (IT) organizations in reducing costs, mitigating risks, and enhancing customer service?

A. Kanban

B. Lean Six Sigma

C. Information Technology Service Management (ITSM)

D. Information Technology Infrastructure Library (ITIL)

28) A company is looking to improve the security of its user authentication processes. After considering various options, the company has decided to adopt Identity as a Service (IDaaS). Which of the following factors influenced the company's decision to select IDaaS as their solution?

A. The in-house team does not have enough resources to manage an on-premise solution.

B. Third-party solutions are naturally more secure.

C. Third-party solutions are recognized for shifting the risk to the vendor.

D. In-house development offers greater control.

29) An organization recently experienced a web application attack that led to the theft of user session cookie information. The attacker managed to acquire this information when a user's browser executed a script after visiting a compromised website. What type of attack is MOST likely to have occurred?

A. SQL injection (SQLi)

B. Extensible Markup Language (XML) external entities

C. Cross-Site Scripting (XSS)

D. Cross-Site Request Forgery (CSRF)

30) An attack that employs social engineering and a malicious Uniform Resource Locator (URL) link to exploit a victim's active browser session with a web application is an example of which type of attack?

A. Clickjacking

B. Cross-site request forgery (CSRF)

C. Cross-Site Scripting (XSS)

D. Injection

31) Which of the following encryption technologies can operate as a stream cipher?

A. Cipher Block Chaining (CBC) with error propagation

B. Electronic Code Book (ECB)

C. Cipher Feedback (CFB)

D. Feistel cipher

32) In a disaster recovery (DR) test, which of the following characteristics would define crisis management?

A. Process

B. Anticipate

C. Strategic

D. Wide focus

33) Which of the following MOST ACCURATELY describes the role of the reference monitor in establishing access control to uphold the security model?

A. Robust operational security to protect unit members

B. Policies to verify organizational rules

C. Cyber hygiene to maintain the health of organizational systems

D. Quality design principles to guarantee quality by design

34) Which of the following describes security control volatility?

A. A reference to the effect of the security control.

B. A reference to the probability of change in the security control.

C. A reference to the unpredictability of the security control.

D. A reference to the consistency of the security control.

35) When auditing the Software Development Life Cycle (SDLC), which of the following represents one of the high-level phases of the audit?

A. Planning

B. Risk assessment

C. Due diligence

D. Requirements

36) What is the term used to refer to the geographic location where data is stored in the cloud?

A. Data privacy rights

B. Data sovereignty

C. Data warehouse

D. Data subject rights

37) Which of the following does the security design process guarantee within the System Development Life Cycle (SDLC)?

A. Appropriate security controls, security objectives, and security goals are correctly initiated.

B. Security objectives, security goals, and system testing are properly executed.

C. Appropriate security controls, security goals, and fault mitigation are effectively implemented.

D. Security goals, appropriate security controls, and validation are correctly initiated.

38) Which of the following is MOST critical to adhere to when creating information security controls for an organization?

A. Implement industry-standard best practices for security controls within the organization.

B. Exercise due diligence concerning all risk management information to customize suitable controls.

C. Examine all local and international standards and select the most stringent based on location.

D. Conduct a risk assessment and select a standard that addresses current gaps.

39) When restoring from an outage, how is the Recovery Point Objective (RPO) defined in relation to data recovery?

A. The RPO refers to the minimum quantity of data that must be recovered.

B. The RPO indicates the time required to recover an acceptable percentage of lost data.

C. The RPO represents a target goal for recovering a specific percentage of lost data.

D. The RPO defines the maximum duration for which data loss is considered acceptable.

40) Which of the following attacks, if executed successfully, could provide an intruder with complete control over a software-defined networking (SDN) architecture?

A. A brute force password attack targeting the Secure Shell (SSH) port of the controller

B. Sending control messages to establish a flow that bypasses the firewall from a compromised host within the network

C. A replay attack on Remote Authentication Dial-In User Service (RADIUS) tokens

D. Capturing the traffic from a compromised host within the network

41) Which of the following is the MOST EFFECTIVE method for minimizing the network attack surface of a system?

A. Turning off unused ports and services

B. Verifying that there are no shared group accounts on the system

C. Removing default software from the system

D. Deleting unnecessary user accounts from the system

42) The security architect is developing and implementing an internal certification authority to issue digital certificates for all employees. Which of the following is the MOST SECURE method for storing the private keys?

A. Physically secured storage device

B. Trusted Platform Module (TPM)

C. Encrypted flash drive

D. Public key infrastructure (PKI)

43) The presence of physical barriers, access systems using cards and personal identification numbers (PINs), surveillance cameras, alarms, and security personnel MOST ACCURATELY characterizes this security strategy.

A. Access control

B. Security information and event management (SIEM)

C. Defense-in-depth

D. Security perimeter

44) A hospital adheres to the Code of Fair Information Practices. What practice is relevant when a patient requests their medical records through a web portal?

A. Purpose specification

B. Collection limitation

C. Use limitation

D. Individual participation

45) A colleague who recently departed from the organization has requested a copy of the organization's confidential incident management policy. What is the MOST APPROPRIATE response to this request?

A. Access the policy on a company-issued device and allow the former colleague to view it on screen.

B. Send the policy via email to the colleague since they were previously part of the organization and are familiar with it.

C. Do not respond to the request from the former colleague and disregard it.

D. Submit the request through official company channels to confirm that the policy can be shared.

46) Which of the following MOST ACCURATELY describes when an organization should perform a black box security audit on a new software product?

A. When the organization aims to verify non-functional compliance

B. When the organization intends to identify known security vulnerabilities within their infrastructure

C. When the organization is assured that the final source code is complete

D. When the organization has encountered a security incident

47) In software development, which of the following entities typically signs the code to ensure its integrity?

A. The organization developing the code

B. The quality control group

C. The developer

D. The data owner

48) Which of the following technologies can be utilized to monitor and